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COMPUTER INSECURITIES AT DOE HEAD- 
QUARTERS: DOE’S FAILURE TO GET ITS 
OWN CYBER HOUSE IN ORDER 


TUESDAY, JUNE 13, 2000 

House of Representatives, 

Committee on Commerce, 
Subcommittee on Oversight and Investigations, 

Washington, DC. 

The subcommittee met, pursuant to notice, at 9:10 a.m., in room 
2123, Rayburn House Office Building, Hon. Fred Upton (chairman) 
presiding. 

Members present: Representatives Upton, Burr, Bilbray, Bryant, 
Bliley, (ex officio), Stupak, Green, and DeGette. 

Also present: Representative Wilson. 

Staff present: Tom Dilenge, majority counsel; Anthony Habib, 
legislative clerk; Clay Alspach, legislative clerk; Edith Holleman, 
minority counsel; and Brendan Kelsay, minority research analyst. 

Mr. Upton. Good morning, everyone and welcome. 

Today’s alarming news story may change the focus of this morn- 
ing’s hearing a little bit. Americans everywhere want absolute as- 
surances that our nuclear secrets remain just that, secret. 

Sadly, today’s headlines are indeed startling regarding the miss- 
ing disks and the unsuccessful attempts of answering the many 
questions that are now out there. How can these disks be missing 
after more than a month with only as many as 86 individuals, 26 
being unescorted, having access to these highly classified disks? 

Real security is going to require additional changes in how DOE 
and its labs control their classified data, whether in hard copy or 
on computer disk. Our hearing today, coupled with this news from 
Los Alamos, shows how far the Department, in its lapse, still must 
go to make security the priority that everyone wants it to be. 

This subcommittee will hold a hearing to continue its year-long 
review of cyber security practices at the Department of Energy. 
This time, our focus is not on the Department’s nuclear weapons 
labs — which have received the lion’s share of attention and have 
made real improvements in computer security since last year — ^but 
on DOE headquarters itself. Unfortunately, the current situation at 
DOE headquarters is little better than where the labs were a year 
ago, a startling and troubling revelation given the Secretary’s pro- 
fessed commitment over 1 year ago to make security, and cyber se- 
curity in particular, a top priority throughout the Department. 

We’ll hear today once again from Mr. Glenn Podonsky, whose of- 
fice conducts independent reviews of DOE security practices, in- 

( 1 ) 
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eluding the latest audit of headquarters cyber security completed 
last month. At our last hearing on DOE’s security issues, Mr. 
Podonsky’s office promised in response to Congresswoman Wilson’s 
questioning to initiate an expedited review of headquarters cyber 
security, and I am pleased that he’s with us to report to the sub- 
committee on the findings of this audit. In particular, we will hear 
that the headquarters computer network has many significant and 
easily exploitable vulnerabilities that render it both susceptible to 
internal and external threats. 

As with the labs, we will hear once again about the lack of inter- 
nal security controls to limit the ability of authorized and unau- 
thorized users, including some foreign nationals, to move freely 
among the various program office systems to compromise sensitive 
information. On this unified network is not only the Secretary’s of- 
fice but also key program functions, such as defense programs, non- 
proliferation and national security, security operations, counter- 
intelligence, the general counsel and inspector general, and even 
Mr. Podonsky’s office. While these offices’ classified data is phys- 
ically separate from the unclassified network, the audit does raise 
concerns about whether the tighter controls that were ordered 
more than a year ago by the Secretary to limit the transfer of clas- 
sified data to the unclassified systems have in fact been imple- 
mented at DOE’s own headquarters. 

As with the labs, we’ll also hear about deficiencies in certain fire 
walls and intrusion detection systems. While no Internet fire wall 
is ever 100 percent foolproof, it is important that a sytem be able 
to quickly detect and block this spread of unauthorized entries into 
the network. By this important measure, DOE falls significantly 
short of the mark. 

From a management perspective, the audit essentially finds that 
no single person or entity is in charge of this network, an amazing 
finding in and of itself, and most likely the root cause of the tech- 
nical problems uncovered by this audit. It appears that much like 
other Federal agencies the committee has looked at, the chief infor- 
mation officer at DOE is the chief in name only. 

Given Secretary Richardson’s reorganization last summer, which 
elevated the CIO and gave him responsibility for all cyber security 
efforts throughout the Department, I would have thought that the 
CIO would have also received the authority to mandate certain 
minimum requirements and corrective actions to vulnerable sys- 
tems. Instead, we now find out that the CIO lacks, according to the 
audit, “real and perceived authority to order changes,” a view ap- 
parently shared by the CIO himself. 

I know I must speak for many members of this committee when 
I say that I find the whole situation bewildering. How could DOE 
headquarters, which was the catalyst for the security changes at 
the nuclear weapons labs last year, leave its own systems so vul- 
nerable to misuse; and why is the Department’s CIO so powerless 
to change the situation? 

These and many other questions will be explored at today’s hear- 
ing, and I welcome our panel of witnesses. In particular, I look for- 
ward to the testimony of General Habiger, DOE’s security czar, and 
Mr. Gilligan, DOE’s CIO, on what technical and management 
changes DOE intends to make to fix these serious problems and on 
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what timetable. I am glad to see that after we’d noticed this hear- 
ing last week, the Department immediately moved to give this CIO 
new powers over the headquarters network; and I hope he uses 
that power to quickly and effectively gain control over this impor- 
tant cyber system. 

At this point, I yield to my friend from Michigan, Mr. Stupak, 
the acting ranking member for this morning’s hearing. 

Mr. Stupak. Thanks, Mr. Chairman, and thanks for holding this 
important hearing. 

Yesterday, I was prepared to give an opening statement regard- 
ing cyber security at the Department of Energy, but after reading 
the New York Times yesterday, I was forced to substantially 
change my statement. 

I’m very concerned that the Department of Energy has no idea 
what happened to two hard drives containing classified information 
about our nuclear weapons program. According to the New York 
Times, the hard drives contained detailed specifications about U.S. 
and Russian nuclear weapons. However, what is more concerning 
is the laissez-faire attitude Los Alamos National Laboratory and 
the Department of Energy have displayed in trying to ascertain 
what happened to highly classified information. 

In the article, a senior Energy official is quoted as saying, “In my 
opinion, it’s premature to call this a security breach.” Well, I, for 
one, think it is a security breach and has definitely been breached 
and no one can say what has happened to the hard drives, who had 
control of the hard drives or who last had access to them. 

I have to tell you, in my hometown of Menominee, Michigan, if 
I want to check out a library book at the Menominee Public Li- 
brary, you have to have a library card and they make a record if 
you remove the book; and if you keep the book too long, they send 
you a notice asking you to return it. Eventually, they charge you 
late fine. Most Americans would find it hard to believe that Me- 
nominee Public Library has a more sophisticated tracking system 
for “Winnie the Pooh” than Los Alamos has for highly classified nu- 
clear weapons data. That is exactly the situation we’re faced with. 

Mr. Curran, the Director of the Department’s Counterintelligence 
Office, is quoted as saying, “At this point, there is no evidence that 
suggests espionage is involved in this incident.” 

How are we going to find out? Does Mr. Curran expect someone 
from Baghdad or Beijing to call them next year and ask for a soft- 
ware update? 

We need to get the answers from the witnesses on a number of 
issues. Why did it take Los Alamos National Laboratory 3 weeks 
to alert the Department of Energy that the hard drives were miss- 
ing? How were these hard drives and computers stored? A couple 
of months ago the State Department lost highly classified informa- 
tion on nuclear weapons. Now Los Alamos has misplaced highly 
classified information. This is not a joke. We’re talking about high- 
ly classified nuclear weapons data. 

I have been a critic of the lack of security at our nuclear weapons 
laboratory at Lawrence Livermore, Los Alamos and other facilities. 
Other members have come to me and asked me to tone it down; 
I will once the national labs take the security breaches seriously. 
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I believe it’s time to take — make security at our national labs a 
military priority and not a civilian afterthought. 

Mr. Chairman, we need answers and we need results. While I 
understand the witnesses are prepared to discuss cyber security at 
the Department of Energy, I intend to ask questions about the lat- 
est loss of our Nation’s nuclear secrets, and I hope I will get some 
answers to my questions today. 

Thank you, Mr. Chairman. 

Mr. Upton. I recognize Mr. Bliley for an opening statement. 

Chairman Bliley. Thank you, Mr. Chairman. 

Since allegations of spying at Los Alamos first surfaced early last 
year, this committee and the American public have been subject to 
a steady stream of press releases, action plans, tough talk and 
photo ops from Secretary Richardson and senior DOE officials, de- 
signed to show a commitment to security at the Department of En- 
ergy. They have crisscrossed the country, making lots of visits to 
the nuclear weapons labs, demanding reforms and upgrades to se- 
curity systems, particularly computer systems; and we’ve been told 
that the Department’s contractors have, “gotten the message,” 
“zero tolerance,” for poor security. 

I certainly don’t mean to belittle these efforts because they have 
had some positive effect, particularly when combined with this 
committee’s aggressive oversight and the bright media spotlight. 
But despite the travels and television appearances, the Secretary 
apparently hasn’t checked his own headquarters office. Effective 
leadership requires making sure your own house is in order when 
demanding others clean up theirs. Today, we are witnessing noth- 
ing less than a failure of leadership. 

A recent internal inspection by the Department’s independent 
cyber security team, prompted by Congresswoman Wilson’s request 
during our last oversight hearing on this matter, has revealed real 
flaws in the cyber security program at the Department’s own head- 
quarters that should have been corrected a long time ago. Indeed, 
the Department knew about many of these flaws for some time be- 
fore this latest inspection occurred yet failed to fix them. That 
doesn’t seem like zero tolerance to me, and it highlights serious 
management failures. 

Indeed, one of the key findings in this report is that the Depart- 
ment, in executing its cyber security program at headquarters, has 
ignored the most basic principle of computer security, that a net- 
work is only as strong as its weakest link. Individual DOE program 
offices essentially set their own rules on security, which results in 
real differences in levels of security. This situation puts the entire 
DOE network, which contains a large amount of sensitive informa- 
tion, at serious risk of compromise or misuse. 

Whatever the DOE spin on this is, there can be little doubt that 
the latest audit of cyber security is a terrible embarrassment to the 
Department and to the administration. How could such a situation 
exist at DOE if security is really a top priority? 

The audit report concludes by stating that senior management 
attention is needed to fix the problems plaguing the Department’s 
cyber security system. I am not sure how much more senior we can 
get than the Secretary, who supposedly has been focused on secu- 
rity at least since the spy scandal erupted over a year ago. I think 
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it is time he and the rest of the Department focused equal atten- 
tion on eliminating risks closer to home. 

Finally, I just want to say a word about the recent revelations 
of missing classified data from Los Alamos. It is alarming that, de- 
spite the alleged focus on security over the last year, it appears the 
Department of Energy and its labs still have a long way to go be- 
fore the American public can or should feel confident that our nu- 
clear secrets are safe in their hands. Several months ago, I re- 
quested the General Accounting Office conduct an investigation 
into whether DOE and its labs have proper procedures in place to 
control and account for their classified documents and electronic 
media. The latest news from Los Alamos suggests that, whether or 
not this missing data is eventually recovered, the answer is no. 

Thank you, Mr. Chairman. 

Mr. Upton. Thank you, Mr. Chairman. 

Mrs. Wilson. 

Mrs. Wilson. I ask unanimous consent to be allowed to sit in on 
this hearing of the Oversight and Investigations Subcommittee. 

Mr. Upton. Without objection, so ruled. 

Would the gentlelady like to make an opening statement? 

Mrs. Wilson. Yes, Mr. Chairman, I would. 

Thank you, Mr. Chairman, for letting me sit in on this sub- 
committee hearing. I am not normally on the Subcommittee on 
Oversight and Investigations. I have a particular interest and con- 
cern on the issue of cyber security at our national laboratories. 

In fact, this hearing and the testimony that we’re going to hear 
today is the result of an inquiry that I made at a previous hearing 
about security at DOE headquarters. Because as all of us know, a 
system is only as strong as its weakest wall. And if we focus only 
on cyber security of systems out on the periphery of the Depart- 
ment of Energy and not those at DOE headquarters, we haven’t 
strengthened the security system in the Department of Energy. 

I understand that we will hear testimony today about cyber secu- 
rity at the headquarters of the Department of Energy on its unclas- 
sified systems. That inquiry parallels those that have previously 
been made at the outer rings of the Department of Energy, includ- 
ing at our national labs. We do not yet know how secure the classi- 
fied systems are at DOE headquarters, but the preliminary reports 
that I have seen about the testimony we’re going to hear today are 
troubling. It means that Department of Energy has been out look- 
ing at all of its contractors and subcontractors, and at the periph- 
ery of its organization, being critical, and rightly critical, while it 
didn’t have its own house in order. 

General Habiger, you and I were trained in some of the same 
places, with similar kinds of ethics and values, and I think both of 
us believe in leadership by example. And I am glad that you’re now 
looking at the Department of Energy headquarters and trying to 
lead by example. But I am a little sorry that it took this kind of 
prodding to get the Department of Energy to do so. 

With respect to information systems and cyber security and com- 
puter security, all of us know that it must be systemic. It is by its 
nature systemic, and computer security has to be looked at as a 
whole and not just in pieces. I suspect that is one of the problems 
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at the Department of Energy. Every little fiefdom within the De- 
partment of Energy runs its own show, and part of it is weak. 

I do want to say something, just briefly, about the reports yester- 
day from Los Alamos National Laboratory. Eolks from Los Alamos 
came to my office yesterday to give me preliminary information 
about the loss of classified data at Los Alamos National Labora- 
tory, and I find it deeply troubling. We don’t yet know a lot about 
what happened, and I support the ongoing investigation to find out. 

I have also requested that the Intelligence Committee, on which 
I sit, hold an immediate classified briefing on what was lost and 
what we know at this point. 

There are a number of questions that I still have. They’re inap- 
propriate to ask in an unclassified forum, and I will be asking 
those questions in the House Permanent Select Committee on In- 
telligence as early as this week. 

There is one thing, though, that this most recent incident under- 
scores for me, and that is the need to move forward rapidly with 
the implementation of the NNSA and the confirmation of General 
John Gordon to lead it. At the moment, the nuclear weapons com- 
plex in this country is in a state of limbo, of neither being part of 
the Department of Energy nor having a real head of its own. That 
is unsustainable if we want that organization to move forward, to 
improve security at our national labs and our nuclear weapons 
complex, and to come up with a concerted plan for the future. 

Thank you, Mr. Chairman. 

Mr. Upton. Thank you. Well, gentlemen, as you know, as you 
have testified before, we have a long-standing tradition of taking 
testimony under oath before this subcommittee. Do you have any 
objection to that? 

Voices. No. 

Mr. Upton. And committee rules allow you to be represented by 
counsel if you wish such. Do you desire to have counsel representa- 
tion? 

Voices. No, sir. 

Mr. Upton. In that case, if you would now stand and raise your 
right hands. 

[Witnesses sworn.] 

You are now under oath, and as you heard at the beginning, I 
guess we’re going to allow you to take a little extra time in deliv- 
ering your testimony. 

Mr. Podonsky, we’ll start with you. Welcome back. 

TESTIMONY OF GLENN S. PODONSKY, DIRECTOR, OFFICE OF 

INDEPENDENT OVERSIGHT AND PERFORMANCE ASSUR- 
ANCE, ACCOMPANIED BY BRADLEY A. PETERSON, OFFICE 

OF CYBER SECURITY AND SPECIAL REVIEWS, U.S. DEPART- 
MENT OF ENERGY 

Mr. Podonsky. Thank you, Mr. Chairman. I appreciate the op- 
portunity to 

Mr. Upton. If you could just pull the mike a little bit closer, that 
would be terrific. 

Mr. Podonsky. I appreciate the opportunity, Mr. Chairman, to 
appear before this committee to discuss our April inspection of un- 
classified cyber security systems at the DOE headquarters. 
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As you know, the Office of Independent Oversight and Perform- 
ance Assurance provides the Secretary of Energy with an inde- 
pendent view of the effectiveness of safeguards and security, emer- 
gency management, and cyber security policies and programs 
throughout the DOE complex. With me this morning is Mr. Brad 
Peterson, the head of my cyber security office. 

In the past, DOE sites often focused on making information eas- 
ily available and computer systems easy to use, which frequently 
led to cyber security receiving a low priority. Also, DOE policy was 
not always followed, which allowed implementation of computer 
systems in ways that did not provide for effective security. 

Particularly disturbing to us was the situation in 1994 at Los Al- 
amos when my office pointed out that the classified network had 
connections to the unclassified network, posing the risk that an au- 
thorized user could download large quantities of classified informa- 
tion to an unclassified computer with little chance of detection. 

Over the past 15 years, the DOE headquarters has often received 
less than satisfactory ratings in many areas, including cyber secu- 
rity. Until Secretary Richardson’s involvement, the program offices 
were in some cases unwilling to commit resources to enhance secu- 
rity. Recent results, however, have been more positive. A number 
of cyber security upgrades and other initiatives have been com- 
pleted or are under way. 

The results of our inspection in April indicate that important de- 
ficiencies still need to be addressed. Many program offices have 
cyber security programs that would be considered effective if they 
were not connected to less effective networks. 

Generally, the main headquarters fire wall is effective; however, 
several Web servers managed by individual program offices are lo- 
cated completely outside the fire wall boundary. Most were found 
to be vulnerable to hacking, and some have vulnerabilities that 
could allow any Internet user to gain system administrator-level 
privileges and subsequently deface or shut down the Web site. 
Headquarters has not developed overall cyber security procedures 
or minimum requirements for each network segment on the net- 
work. 

The fragmented management systems and practices currently in 
place are a root cause of many identified weaknesses. While the 
chief information officer has attempted to address many of these 
weaknesses, the effectiveness of these initiatives has been limited 
due to lack of real or perceived authority. This fragmentation re- 
sults in part from weaknesses in policy, which does not address the 
unique situation at headquarters or establish overall responsibil- 
ities and authorities. 

My office is continually expanding its ability to conduct network 
performance testing, using tools we have acquired or developed. We 
currently have an extensive cyber security laboratory dedicated to 
testing cyber security features. We also conduct regular inspection 
of cyber security systems at DOE sites. 

We will conduct an inspection of the classified cyber security at 
DOE headquarters next month in conjunction with a comprehen- 
sive inspection of all the safeguards and security policies and pro- 
grams at the headquarters. We also will continue to follow up and 
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work closely with General Habiger’s office as they work to clarify 
and enhance cyber security policy and guidance. 

Although much work remains, it is clear that a positive trend in 
classified cyber security has been established at the headquarters 
and that DOE headquarters has heard the wake-up call from the 
Secretary and from the congressional committees. Cyber security is 
receiving a significantly higher level of attention from senior man- 
agement than in the years gone past, and we are seeing more im- 
provements that could not have been made without management 
support and the Secretary’s involvement. 

Finally, our independent oversight function as a direct report to 
the Secretary has a mechanism in place, a mandated corrective ac- 
tion plan, that ensures independent oversight findings will be ad- 
dressed. With these measures, we expect the identified weaknesses 
will be corrected. 

Thank you, Mr. Chairman. 

[The prepared statement of Glenn S. Podonsky follows:] 

Prepared Statement of Glenn S. Podonsky, Director, Office of Independent 
Oversight and Performance Assurance, U.S. Department of Energy 

Thank you Mr. Chairman. I appreciate the opportunity to appear before this com- 
mittee to discuss our Independent Oversight activities as they relate to unclassified 
cyber security at DOE Headquarters. The Office of Independent Oversight and Per- 
formance Assurance is responsible for providing the Secretary of Energy with an 
independent view of the effectiveness of DOE policies and programs in the areas of 
safeguards and security, emergency management, and cyber security. 

My remarks this morning will focus on the recent Independent Oversight inspec- 
tion of unclassified cyber security systems at the DOE Headquarters, which was 
conducted in April 2000. I will also briefly summarize some historical perspectives 
to provide a background on how we got to where we are today. Finally, I will discuss 
our plans for upcoming inspections at DOE Headquarters, follow-up activities, and 
other initiatives. 

Historical Perspectives. 

From the early days of computer networks, DOE has historically struggled with 
the area of cyber security. For a variety of reasons, such as the emphasis on intellec- 
tual freedom and open exchange of ideas, DOE sites, in the past, often focused on 
making information easily available and computer systems easy to use. This often 
led to situations in which cyber security received a lower priority than user conven- 
ience or operational efficiency. 

There were also instances where DOE and contractor management did not follow 
DOE policy and allowed sites to implement computer systems in ways that did not 
provide for effective security. A particularly disturbing example was the situation 
in Los Alamos in 1994 when my office pointed out that the classified network had 
connections to the unclassified network, which posed a risk from an insider. Using 
these connections, an authorized user could download large quantities of classified 
information to an unclassified computer with little chance of detection. 

During most Oversight inspections over the last 15 years, the DOE Headquarters 
has performed poorly, often receiving less than satisfactory ratings in many areas, 
including cyber security. In many cases, until Secretary Richardson’s involvement. 
Headquarters program offices were unwilling to commit resources to enhance secu- 
rity or to implement the same requirements they imposed on the field. 

Recent results, however, have been more positive. Headquarters has completed a 
number of cyber security upgrades and has other initiatives underway. 

Before talking about the results of the recent Headquarters inspection, I would 
like to take a moment to share with you some of the techniques we use for evalu- 
ating the effectiveness of cyber security programs. We began to use automated tools 
to performance test security features in 1995. This use of technology was a quantum 
step forward and dramatically increased our ability to test network security. Using 
automated network scanning tools, we are able to test thousands of systems and all 
network connections and features in a period of a week. Previously, such an effort 
would have taken a year or more. 
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We have continually expanded our ability to conduct performance tests of net- 
works using tools that we have acquired or developed on our own. For example, we 
have software programs — referred to as “war dialers” — that can test every phone 
line at a DOE site in a matter of days to determine whether unauthorized modems 
exist. If present, such modems could be located and used by hackers to bypass the 
firewall to gain access to information or destroy data. 

We currently have an extensive cyber security laboratory dedicated entirely to 
testing cyber security features. We conduct regular inspections of the implementa- 
tion of cyber security at DOE sites. We have expanded our methods to include a 
program of unannounced inspections and penetration testing. Most recently, we 
have been implementing what is commonly referred to as a RED Team approach, 
in which we use a variety of techniques to perform detailed tests of a site’s cyber 
security features. These tests include penetration testing by experts who are thor- 
oughly familiar with the latest hacker techniques and methods. 

Our assembled team of inspectors, together with our cyber security laboratory, en- 
ables us to conduct penetration testing on par with some of the best known hackers. 
With this extensive testing capability, it is not surprising that we continue to find 
weaknesses in implementation. Many DOE sites recently have established their own 
programs for regular scans of their networks and tests of their security features. 
This is one of the most positive trends in DOE, because an ongoing, effective self- 
assessment program is essential to effective network security. 

In addition to the rigorous performance testing of systems, our inspections also 
include an evaluation of the programmatic, management system elements that are 
the essential foundation of a cyber security program. By looking at such elements 
as leadership, risk management, procedures and performance evaluation, we are 
able to identify not only specific technical deficiencies, but also underlying root 
causes, which must be addressed to prevent recurrence of the problems. 

Summary of the April inspection of HQ unclassified cyber security systems 

The results of our April Headquarters inspection of unclassified cyber security in- 
dicate that important deficiencies need to be addressed. Many program offices have 
cyber security programs that would be considered effective if evaluated on their own 
merits (that is, they would be effective if they were not connected to less effective 
networks of other organizations). Within several program offices, leadership and 
support for cyber security are good, and roles and responsibilities are well defined. 
Much of the recent improvement can be attributed to the attention and efforts of 
Secretary of Energy and the DOE Chief Information Officer to improve cyber secu- 
rity across the complex. The Chief Information Officer has been aggressive in cre- 
ating policy and has taken an active role in addressing DOE-wide problems. The 
CIO has worked to strengthen cyber security within the Headquarters and improve 
the security of the network backbone and main firewall. The CIO has also supported 
the Headquarters program offices through efforts such as regular scanning of net- 
works to identify vulnerabilities that need corrective action. 

Despite recent progress, weaknesses continue to exist in several important aspects 
of the Headquarters cyber security program. Weaknesses regarding the backbone 
switches and individual systems throughout the network were identified. Our test- 
ing demonstrated how a malicious insider could exploit these weaknesses. The re- 
sults of these tests demonstrate the need for continued vigilance of network secu- 
rity. 

Generally, the main Headquarters firewall was effective. However, several Web 
servers are managed by individual program offices and are located completely out- 
side the firewall boundary. Most of these servers were found to be vulnerable to 
common hacking exploits, and some contain vulnerabilities that could allow any 
Internet user to gain system administrator-level privileges, and subsequently deface 
or shut down the Web site. To demonstrate this possibility, we exploited one of the 
vulnerabilities and gained system administrator-level privileges to one of the serv- 
ers. There is also some concern that the risk of alternate pathways into the network 
that could allow unauthorized access has not been evaluated. 

The potentially exploitable vulnerabilities in the Headquarters network result 
from a number of weaknesses in the unclassified cyber security program. Head- 
quarters has not developed overall cyber security procedures (such as policies for 
modems or foreign national access) or procedures to establish minimum require- 
ments for each network segment on the network. There is no formal process for 
evaluating performance and for self-identifying and correcting vulnerabilities in the 
overall network. Additionally, Headquarters risk assessments have not been rig- 
orous. 

The fragmented management systems and practices currently in place are a root 
cause of many of the programmatic weaknesses and technical vulnerabilities. While 
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the DOE Chief Information Officer has attempted to address many of the weak- 
nesses associated with this fragmentation, we determined that the effectiveness of 
these initiatives has been limited due to the lack of real and perceived authority. 
This fragmentation results in part from weaknesses in policy, which does not ad- 
dress the unique situation at DOE Headquarters or establish overall responsibilities 
and authorities for Headquarters. The 25 individual LAN segments, covering 29 dif- 
ferent program offices, have widely varying levels of effectiveness. 

While some program offices have established effective practices, others have poor 
configuration management practices, ineffective policies and procedures, and ineffec- 
tive intrusion detection strategies. Because of the configuration of the overall net- 
work (that is, the lomcal connections among all systems with few security barriers 
between segments), the overall system is only as good as the weakest link. In effect, 
the potentially effective practices of some program offices are largely negated by the 
ineffective practices of other program offices. 

To summarize the results of our inspection, the increased focus on cyber security 
and the positive measures that have been implemented at DOE Headquarters have 
resulted in significant improvements in cyber security. However, additional improve- 
ments are needed, with particular emphasis on assessing and managing risk and 
on addressing vulnerabilities that can be exploited from within the internal net- 
work. 

Plans for Independent Oversight Follow-up and other DOE Initiatives 

We will be performing follow-up activities to determine whether identified weak- 
nesses have been addressed. Although in the early stages of their corrective actions. 

Headquarters personnel have been generally responsive to the inspection findings 
and have started corrective actions. 

In a related effort, we will be conducting an inspection of the “classified” cyber 
security program at DOE Headquarters in July 2000 in conjunction with a com- 
prehensive inspection of Headquarters’ safeguards and security policies and pro- 
grams. Independent Oversight will also continue to work with the Office of Security 
and Emergency Operations as they work to clarify and enhance cyber security policy 
and guidance. 

Although much work remains, it is clear that a positive trend has been estab- 
lished at DOE Headquarters in the area of unclassified cyber security. While contin- 
ued, close Independent Oversight attention is warranted, there are several reasons 
to be cautiously optimistic that this positive trend will continue. For example, it is 
clear that DOE Headquarters has heard the wake-up call from the Secretary and 
Congressional Committees. Cyber security is receiving a significantly higher level of 
attention from senior management than in the past, and we are seeing some im- 
provements that could not have been made without management support and the 
Secretary’s personal involvement. In addition, the Office of Security and Emergency 
Operations and the DOE Chief Information Officer have indicated a willingness to 
improve policies and guidance to ensure there is a clear and unambiguous Basis for 
holding line management accountable for effective security. Finally, our Inde- 
pendent Oversight function, as a direct report to the Secretary, has a mechanism 
in place — the mandated corrective action plan — that ensures Independent Oversight 
findings are addressed. With these measures, we have reason to be optimistic that 
identified weaknesses will be corrected. 

Thank you Mr. Chairman; this concludes my comments. 

Mr. Upton. General Habiger. 

TESTIMONY OF EUGENE E. HABIGER, DIRECTOR, OFFICE OF 
SECURITY AND EMERGENCY OPERATIONS, ACCOMPANIED 
BY JOHN M. GILLIGAN, CHIEF INFORMATION OFFICER, U.S. 
DEPARTMENT OF ENERGY 

Mr. Habiger. Mr. Chairman, distinguished members of this sub- 
committee, thank you for the opportunity to appear before you 
today to testify on Mr. Podonsky’s Office of Independent Oversight 
and Performance Assurance report on our headquarters. While not 
always pleasant to hear, these reviews are essential in our ongoing 
efforts to ensure that we protect our information systems and the 
information they process. 

I readily acknowledge and accept the findings of this review. As 
recognized by the review itself, we have made much progress in the 
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headquarters unclassified security program over the past 2 years. 
The Office of Chief Information Officer, under the very capable 
leadership of John Gilligan, has moved aggressively to address 
DOE-wide problems to include the establishment of new policy gov- 
erning our unclassified systems. At headquarters, John and his 
staff have made significant improvements in the security of the 
network backbone and our main firewall. Despite this progress, 
however, I acknowledge there is room for improvement. 

I also want to be straightforward with you and freely admit that 
over the past year our focus has been directed at our defense facili- 
ties and then our other large sites. As a result, headquarters has 
not received the same level of attention. This level of attention is 
directly correlated to the funds appropriated to us for cyber secu- 
rity. As part of our fiscal year 2000 Budget Amendment Request 
that I was personally involved with in July of last year, we asked 
for $35 million to address our cyber security needs, but were appro- 
priated only $7 million. With such a shortfall, some hard decisions 
had to be made. 

Mr. Chairman, I now quote from my sworn testimony of October 
26 of last year in front of this very committee, “Congress has, up 
to this point, failed to fund the Department’s fiscal year 2000 full 
budget amendment in order for us to make near- and long-term 
fixes. We have valid requirements in the area of cyber security to 
buy hardware, encryption equipment and to train our systems ad- 
ministrators. Simply stated, we have been given a mandate, but 
not the resources to accomplish that mandate.” 

I cannot in retrospect tell you that if we had received the addi- 
tional $28 million we requested back in July that we would have 
no cyber security discrepancies, but I can assure you, Mr. Chair- 
man, that in my judgment they would not have been of the same 
order of magnitude. 

Consequently, the headquarters unclassified cyber security initia- 
tives were given lower priority in light of more pressing needs at 
our field sites. Granted, not all of the issues identified were the re- 
sult of funding shortfalls. Where limited funds were not an issue, 
we moved quickly to take corrective action. 

In addition, the Deputy Secretary recently directed that the Of- 
fice of Chief Information Officer serve as the central cyber security 
authority for the headquarters. This action addresses the rec- 
ommendations to establish the necessary management structure to 
implement an effective cyber security program at our headquarters. 

Additionally, we are implementing longer-term actions to im- 
prove the efficiency of the cyber security program by adopting best 
security practices and a more proactive risk assessment program. 

I want to assure you that we are fixing the shortfalls identified 
in the independent oversight review. Headquarters should and will 
set the standard for the rest of the Department on how it imple- 
ments security of our unclassified systems. 

Thank you, Mr. Chairman. 

[The prepared statement of Eugene E. Habiger follows:] 

Prepared Statement of Eugene E. Habiger, Director, Office of Security and 
Emergency Operations, U.S. Department of Energy 

Mr. Chairman and distinguished members of the Subcommittee, thank you for the 
opportunity to appear before you today to testify on the Office of independent Over- 
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sight and Performance Assurance’s report entitled, “Unclassified Cyber Security Re- 
view of Department of Energy Headquarters.” While not always pleasant to hear, 
these reviews are essential in our ongoing efforts to ensure that we protect our in- 
formation systems and the information that they process. 

I readily acknowledge and accept the findings of the Independent Oversight re- 
view. As recognized by the review itself, we have made much progress in the Head- 
quarters unclassified cyber security program over the past two years. The Office of 
the Chief Information Officer, under the very capable leadership of John Gilligan, 
has moved aggressively to address DOE-wide problems to include the establishment 
of new policy governing our unclassified systems. At Headquarters, John and his 
staff have made significant improvements in the security of the network backbone 
and main firewall. Despite this progress, however, there is room for improvement. 

I also want to be straightforward with you and freely admit that over the past 
year our focus has been directed at our defense facilities and then our other large 
sites. This level of attention is directly correlated to the funds appropriated to us 
for cyber security. As part of our FY 2000 Supplemental Budget Amendment re- 
quest, we asked for $35 million to address our cyber security needs, but were appro- 
priated only $7 million. With such a shortfall, some hard decisions had to be made. 

Mr. Chairman, I now quote from my sworn testimony of October 26, 1999 in front 
of this committee: “. . . Congress has, up to this point, failed to fund the Depart- 
ment’s FY 2000 full budget amendment in order to make near and long term fixes. 
We have valid requirements in the area of cyber security to buy hardware, 
encryption equipment and to train our systems administrators . . . Simply stated, we 
have been given a mandate but not the additional resources to accomplish that man- 
date.” I cannot in retrospect tell you that had we received the additional $28M we 
requested back in July of last year, that we would have had no cyber security dis- 
crepancies . . . but, I can assure you that they would not have been of the same order 
of magnitude. 

Consequently, the Headquarters unclassified cyber security initiatives were given 
lower priority in light of more pressing needs at our field sites. Granted, not all of 
the issues identified were the result of funding shortfalls. Where limited funds were 
not an issue, we moved quickly to take corrective action. For example, the Deputy 
Secretary recently directed that the Office of the Chief Information Officer serve as 
the central cyber-security authority for Headquarters. This action addresses the rec- 
ommendation to establish the necessary management structure to implement an ef- 
fective cyber-security program at Headquarters. 

Additionally, we are implementing longer-term actions to improve the efficiency 
of the cyber security program by adopting 

• best security practices, and 

• a more proactive risk assessment program. 

I want to assure you that we are fixing the shortfalls identified in the Inde- 
pendent Oversight review. Headquarters should and will set the standard for the 
rest of the Department on how it implements security of its unclassified systems. 
With your permission, I would now like to yield to John Gilligan, the Chief Informa- 
tion Officer of the Department of Energy, to elaborate on how we are progressing 
on our Headquarters efforts. 

Mr. Upton. Mr. Gilligan. 

TESTIMONY OF JOHN M. GILLIGAN 

Mr. Gilligan. Thank you, Mr. Chairman and distinguished 
members of the subcommittee, for the opportunity to appear before 
you today. My testimony will focus on actions we have taken across 
the Department to improve the level of cyber security protection in 
our systems and networks. I will also discuss the cyber security 
weaknesses that have been identified in the headquarters during 
the recent review by the Department’s independent oversight orga- 
nization, as well as our efforts to remedy these identified weak- 
nesses. 

I am pleased to say that the state of cyber security at the De- 
partment of Energy is far better today than it was a year ago. A 
year ago there was clear evidence that the Department’s cyber se- 
curity efforts, in particular for our unclassified computer systems, 
had not kept pace with the rapid proliferation of network connec- 
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tion and increasing threats. Our policies were outdated, cyber secu- 
rity compromises at some sites led to significant work disruptions, 
and we did not have awareness of cyber security threats or ade- 
quate training of our work force to deal with these threats. These 
concerns were reported in congressional hearings and other forums. 
This was a painful wake-up call for the Department, but a nec- 
essary one. 

During the past year, each DOE organization has focused on im- 
proving awareness of cyber security threats and installing im- 
proved security controls. I have seen enormous progress in how un- 
classified information is protected and a significant increase in the 
awareness of cyber security issues at all levels within the Depart- 
ment. While we have worked this issue aggressively, cyber security 
is not a quick fix and more needs to be done. However, the security 
protection in the Department is improving rapidly, and I appreciate 
the opportunity to discuss our progress. 

Since the spring of 1999, the Secretary of Energy and I have em- 
phasized the Department-wide focus on cyber security. The initial 
focus was on our defense laboratories and production facilities, 
with aggressive programs to upgrade and verify fixes at these fa- 
cilities last summer and fall. This focus has subsequently been ex- 
tended to all DOE sites. Over this period, the Department has com- 
pletely restructured its cyber security program. Actions taken in- 
clude the following: 

Creating a single Department-wide cyber security office under 
me as the Department’s Chief Information Officer; requiring work 
stand-downs at all sites to conduct security awareness training; de- 
veloping and issuing four new cyber security policies and two new 
cyber security guidelines; instituting a set of cyber security metrics 
which permit us to evaluate progress at each site; doubling the size 
and increasing the role of the central DOE security incident and 
early warning capability, our computer incident advisory capability 
located at Lawrence Livermore Laboratory; having each DOE site 
develop a detailed site-specific cyber security plan describing the 
implementation of cyber security protection at the site; deploying 
a number of security training programs Department wide to im- 
prove the security skills of our systems administrators and a sepa- 
rate training course provided to our line managers. 

Finally, each site has significantly upgraded its protection 
through the use of firewalls and intrusion detection software, 
stronger passwords, improved system configuration controls and re- 
configuration of system and network connectivity to reduce 
vulnerabilities. 

In addition, the Secretary has created a proactive, independent 
security assessment organization, the Office of Independent Over- 
sight and Performance Evaluation, reporting directly to him, to 
provide an independent review of security throughout the complex. 
For the past year, this independent oversight office has been con- 
ducting thorough reviews of cyber security effectiveness at DOE 
sites. 

As Chief Information Officer, I am a key customer of the prod- 
ucts of the independent oversight reviews. I rely on these reviews 
to provide me with an objective assessment of the effectiveness of 
the cyber security at our sites and the effectiveness of the CIO 
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cyber security policies. In essence, the independent oversight re- 
views provide critical feedback to me on how the individual sites 
are progressing with cyber security upgrades, and my staff often 
participates in the reviews. 

Since last summer the independent oversight organization has 
conducted 13 reviews. In those instances where significant 
vulnerabilities were identified, my policy staff and I have worked 
with the site and the line management organizations to ensure 
that there is rapid resolution. Action plans for fixing problems 
identified in the independent oversight reviews are tracked by the 
DOE Security Council that is chaired by the DOE Security Czar 
General Habiger. 

In cases where there are significant weaknesses identified, a 
rapid follow-up review by the independent oversight team is sched- 
uled. We have done such follow-up reviews at a number of our fa- 
cilities over the past year. These follow-up reviews provide me and 
other senior Department officials with clear evidence that those 
sites are, in fact, making rapid progress to remedy the identified 
cyber security problems. 

In April of this year, the DOE independent oversight office con- 
ducted a review of the headquarters unclassified cyber security pro- 
gram. This assessment included a programmatic review and testing 
of controls to prevent or limit access to the headquarters informa- 
tion network against the external threats, such as unauthorized 
system hackers, and internal threat, for example. Department em- 
ployees. 

As you have heard from Mr. Podonsky, the review found that, al- 
though unclassified cyber security at headquarters has significantly 
improved in the past 2 years, there are still significant deficiencies 
that need to be addressed. In particular, the review found that 
many program offices within the headquarters have effective cyber 
security programs. However, because all DOE headquarters net- 
works are interconnected, an office with weak security can under- 
mine the otherwise effective processes and controls of the better 
managed offices. A number of individual headquarters offices were 
found to have ineffective cyber security programs. 

Weaknesses identified in the review included the following: A 
lack of headquarters-wide procedures on configuration manage- 
ment; the absence of consistent policy on external connections, 
modems and foreign national access; the lack of minimum cyber se- 
curity requirements for each local area network in the head- 
quarters; lack of a formal process to evaluate performance and self- 
identify and correct cyber security vulnerabilities; headquarters 
risks assessments had also not been done rigorously and had not 
considered the shared risks of the headquarters network. 

In my assessment, the root cause for most of the reported cyber 
security problems was the failure to treat the headquarters as an 
interconnected and interdependent set of systems and network, 
that is, an integrated site. This problem started to become appar- 
ent earlier this spring when I found that each office in the head- 
quarters had produced separate cyber security plans as required by 
doe’s new unclassified cyber security policy. The reviews by my of- 
fice of many of these plans indicated serious weaknesses. These 
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were documented and forwarded back to the individual organiza- 
tions. 

In addition, as we began to collect metrics on cyber security im- 
plementation, the metrics submitted from some headquarters of- 
fices indicated that they had significant weaknesses in their cyher 
security implementation programs. These findings were shared 
with the respective headquarters management, and we began eval- 
uating approaches to improve our approach within the head- 
quarters. The findings of the independent oversight review con- 
firmed these earlier indications of problems. 

The Office of Independent Oversight has recommended imme- 
diate and long-term actions to address the headquarters cyber se- 
curity issues identified in its review. I support these recommenda- 
tions. Immediate actions include designating a single focal point for 
headquarters cyber security as well as establishing appropriate 
processes and procedures across the headquarters. Longer-term ac- 
tions include taking steps to improve the efficiency of cyber secu- 
rity programs by adopting best security practices and a more 
proactive risk management program. 

Steps that are being taken to address the recommendations made 
by the Office of Independent Oversight are as follows: On June 8, 
the deputy-secretary directed the Office of the CIO to serve as cen- 
tral cyber security authority for all computers and networks within 
the Department of Energy headquarters site, and I have submitted 
that memorandum as a part of the testimony. This action is the 
necessary and important first step to begin to manage head- 
quarters as a single entity and to institute consistent site-wide ap- 
proaches for securing our computers and networks. 

Specifically, the CIO operations organization, headed by Mr. Pat- 
rick Hargett who has joined me, which currently provides computer 
and networking support to a number of headquarters organiza- 
tions, including the Office of the Secretary, the CIO, Security and 
Emergency Operations, Management and Administration, the Chief 
Financial Officer and a number of other offices, will assume re- 
sponsibility for all cyber security policies, processes and procedures 
for the entire headquarters site. These policies, processes and pro- 
cedures will he coordinated through a headquarters cyber security 
working group that my office will form. Each headquarters office 
will also be represented on this working group and will be an inte- 
gral part of the cyber security forum. 

In addition, my office, as the central cyber security authority for 
headquarters, will undertake the following efforts: develop, imple- 
ment and enforce formal network connection policies; develop, man- 
age, operate and enforce an integrated security configuration man- 
agement process; develop, manage and implement a security self- 
assessment process for headquarters offices; and centrally manage 
the security of headquarters, the network perimeter, including all 
firewalls and be responsible for performing intrusion detection, vul- 
nerability scanning and auditing on the headquarters information 
technology infrastructure. 

I have made a commitment to the Secretary that we will imple- 
ment fixes to the significant vulnerabilities identified in the inde- 
pendent oversight review of the headquarters within 60 days. Con- 
sistent with our practices when we find a site that has significant 
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weaknesses, I have asked the Office of Independent Oversight to 
reassess the headquarters in early fall to verify that we have re- 
solved the serious weaknesses that were identified in the April re- 
view. The Secretary has requested regular updates on progress to 
close the headquarters vulnerabilities. 

In summary, the cyber security program in the Department of 
Energy in June 2000 bears little resemblance to the program in 
place just a year ago. We have put updated cyber security policies 
in effect, our security training has improved the effectiveness of our 
system administrators and informed our management of upgraded 
cyber security threats, each site has upgraded its security controls 
and have improvement plans to be executed as resources are avail- 
able, and a review and follow-up process using the Secretary’s inde- 
pendent oversight function permits the Department to objectively 
assess our status. 

Although we have made great process, there is room for improve- 
ments. Clearly, the review of the headquarters shows that we have 
significant weaknesses that require immediate attention. Moreover, 
the Department believes that the headquarters must set the stand- 
ard for the rest of the Department on how it implements security 
of its cyber systems. The Secretary and I are fully committed to en- 
suring that the headquarters is a model for the rest of the Depart- 
ment. 

Beyond fixing the clear weaknesses, the Department is moving 
to strengthen security in a number of areas. Current focus areas 
for improvement are eliminating the use of clear text reusable 
passwords, implementing consistent security architectures at each 
site, using automated tools to review firewall and intrusion detec- 
tion logs to identify and then automatically block access from Inter- 
net sites that are attacking DOE sites, and automated distribution 
of software patches to make the process of patching vulnerabilities 
more rapid and reliable. 

We know that there is no silver bullet fix for cyber security. Suc- 
cess in this area will take continued focused efforts to deal with the 
increasing complexity of the threats and the rapid evolution of 
technology. 

Successes will also take resources. I note that as a part of the 
Department’s fiscal year 2000 Budget Amendment request, we 
asked for additional funding to address our pressing security needs 
for our unclassified computers, but, as General Habiger noted, we 
were only appropriated a small portion of what was requested. 

While many of the issues identified in the review of the head- 
quarters and other DOE sites are not the result of lack of funding, 
accelerating implementation of protection mechanisms does take 
additional resources. 

We look forward to continuing to work with the Congress to fund 
our important cyber security programs, and we commit to providing 
you continued visibility on our progress. Thank you. 

[The prepared statement of John M. Gilligan follows:] 
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Prepahed Statement of John M. Gilligan, Chief Information Officer, U.S. 
Department of Energy 

introduction 

Thank you Mr. Chairman and distinguished members of the Committee for the 
opportunity to appear before you today. My testimony will focus on actions we have 
taken across the Department to improve the level of cyber security protection in our 
systems and networks. I will also discuss the cyber security weaknesses that have 
been identified in the Headquarters during the recent review by the Department’s 
Independent Oversight organizations, as well as our efforts to remedy these identi- 
fied weaknesses. 

I am pleased to say that the state of cyber security at the Department of Energy 
(DOE) is far better today than it was a year ago. A year ago, there was clear evi- 
dence that the Department’s cyber security efforts, in particular for our unclassified 
computer systems, had not kept pace with the rapid proliferation of network connec- 
tions and increasing threats. Our policies were outdated, cyber security com- 
promises at some sites led to significant work disruptions, and we did not have 
awareness of cyber security threats or adequate training of our workforce to deal 
with these threats. These concerns were reported in congressional hearings and 
other forums. This was a painful wake-up call for the Department, but a necessary 
one. 

During the past year, each DOE organization has focused on improving awareness 
of cyber security threats and installing improved security controls. I have seen enor- 
mous progress in how unclassified information is protected and a significant in- 
crease in awareness of cyber security issues at all levels within the Department. 
While we have worked this issue aggressively, cyber security is not a quick fix and 
more needs to be done. However, the security protection in the Department is im- 
proving rapidly, and I appreciate the opportunity to discuss our progress. 

Since the spring of 1999, the Secretary of Energy and I have emphasized a De- 
partment-wide focus on cyber security. The initial focus was on our Defense labora- 
tories and production facilities with aggressive programs to upgrade and verify fixes 
at these facilities last summer and fall. This focus has subsequently been extended 
to all DOE sites. Over this period, the Department completely restructured its cyber 
security program. Actions taken include the following: 

• Creating a single. Department-wide Cyber Security Office under me as the De- 

partment’s Chief Information Officer. 

• Requiring work “stand downs” at all sites to conduct security awareness training. 

• Developing and issuing four new cyber security policies and two new cyber secu- 

rity guidelines. 

• Instituting a set of cyber security metrics which permit us to evaluate progress 

at each site. 

• Doubling the size and increasing the role of the central DOE security incident and 

early warning capability, our Computer Incident Advisory Capability (CIAC) lo- 
cated at Lawrence Livermore Laboratory. 

• Having each DOE site develop a detailed, site-specific cyber security plan describ- 

ing the implementation of cyber security protection at the site. 

• Deplo 3 dng a cyber security training program Department-wide to improve the se- 

curity skills of our Systems Administrators and a separate training course pro- 
vided to line managers. 

• Finally, each site has significantly upgraded its protection through the use of fire- 

walls and intrusion detection software, stronger passwords, improved system 
configuration controls, and reconfiguration of system and network connectivity 
to reduce vulnerabilities. 

In addition, the Secretary created a proactive independent security assessment or- 
ganization, the Office of Independent Oversight and Performance Evaluation, re- 
porting directly to him to provide an independent review of security throughout the 
complex. For the past year, this Independent Oversight office has been conducting 
thorough reviews of cyber security effectiveness at DOE sites. As CIO, I am a key 
customer of the products of independent oversight reviews. I rely on these reviews 
to provide me with an objective assessment of the effectiveness of the cyber security 
at our sites and the effectiveness of the CIO cyber security policies. In essence, the 
Independent Oversight reviews provide critical feedback to me on how individual 
sites are progressing with cyber security upgrades, and my staff often participates 
in the reviews. Since last summer, the Independent Oversight organization has con- 
ducted 13 reviews. In those instances where significant vulnerabilities were identi- 
fied, my policy staff and I have worked with the site and the line management orga- 
nization to ensure that there is rapid resolution. Action plans for fixing problems 
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identified in the Independent Oversight Reviews are tracked by the DOE Security 
Council that is chaired by the DOE Security Czar, General Habiger. In cases where 
there are significant weaknesses identified, a rapid follow-up review by the Inde- 
pendent Oversight team is scheduled. We have done such follow-up reviews at a 
number of our facilities over the past year. These follow-up reviews provide me and 
other senior Department officials with clear evidence that those sites are, in fact , 
making rapid progress to remedy the identified cyber security problems. 

INDEPENDENT OVERSIGHT REVIEW 

In April of this year, the DOE Independent Oversight office conducted a review 
of the Headquarters unclassified cyber security program. The assessment included 
a programmatic review and testing of controls to prevent or limit access to the 
Headquarters information network against the external threat (such as unauthor- 
ized system, i.e., hackers) and the internal threat (i.e.. Department employees). As 
you have heard from Mr. Podonsky, the review found that, although unclassified 
cyber security at Headquarters has significantly improved in the past two years, 
there are significant deficiencies that need to be addressed. In particular, the review 
found that many program offices within the Headquarters have effective cyber secu- 
rity programs. However, because all DOE Headquarters networks are inter- 
connected, an office with weak security can undermine the otherwise effective proc- 
esses and controls of the better-managed offices. A number of individual Head- 
quarters offices were found to have ineffective cyber security programs. 

Weaknesses identified in the review included the following: 

• A lack of Headquarters-wide procedures on configuration management; 

• The absence of consistent policy on external connections, modems, and foreign na- 

tional access; 

• The lack of minimum cyber security requirements for each Local Area Network 

in the Headquarters; 

• Lack of a formal process to evaluate performance and self-identify and correct 

cyber security vulnerabilities; 

• Headquarters risk assessments had not been rigorous and had not considered the 

shared risk of the Headquarters network. 

In my assessment the root cause for most of the reported cyber security problems 
was the failure to treat the Headquarters as an interconnected and interdependent 
set of systems and networks that is an integrated “site”. This problem started to 
become apparent earlier this spring when I found that each office in the Head- 
quarters had produced separate cyber security plans as required by DOE’s new un- 
classified cyber security policy. The reviews by my office of many of these plans indi- 
cated serious weaknesses. These were documented and forwarded back to the indi- 
vidual organizations. In addition, as we began to collect metrics on cyber security 
implementation, the metrics submitted from some Headquarters offices indicated 
that they had significant weaknesses in their cyber security programs. These find- 
ings were shared with the respective Headquarters management, and we began 
evaluating approaches to improve our approach within the Headquarters. The find- 
ings of the Independent Oversight review confirmed these earlier indications of 
problems. 

The Office of Independent Oversight has recommended immediate and long-term 
actions to address the headquarters cyber issues identified in its review. I support 
these recommendations. Immediate actions included designating a single focal point 
for Headquarters Cyber Security, as well as establishing appropriate processes and 
procedures across Headquarters. Longer-term actions include taking steps to im- 
prove the efficiency of the cyber security program by adopting best practice security 
practices and a more proactive risk assessment program. 

DEPARTMENT RESPONSE TO INDEPENDENT OVERSIGHT REPORT 

Steps that are being taken to address the recommendations made by the Office 
of Independent Oversight are as follows. On June 8, 2000, the Deputy Secretary di- 
rected the Office of the CIO to serve as the central cyber security authority for all 
computers and networks within the DOE Headquarters site (see attachment). This 
action is the necessary and important first step to begin to manage Headquarters 
as a single entity and to institute consistent site-wide approaches for securing our 
computers and networks. Specifically, the CIO Operations Organization, which cur- 
rently provides computer and networking support to a number of Headquarters or- 
ganizations including the Office of the Secretary, the CIO, Security and Emergency 
Operations, 

Management and Administration, the CFO and a number of other offices, will as- 
sume responsibility for all cyber security policies, processes, and procedures for the 
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entire Headquarters site. These policies, processes and procedures will be coordi- 
nated through a Headquarters Cyber Security Working Group that my office will 
form. Each Headquarters office will be represented on this Working Group and will 
be an integral part of this cyber security forum. 

In addition, my office, as the central cyber security authority for the Head- 
quarters, will undertake the following efforts: 

• Develop, implement and enforce formal network connection policies; 

• Develop, manage, enforce and operate an integrated security configuration man- 

agement process; 

• Develop, manage and implement a security self-assessment process for Head- 

quarters offices; and 

• Centrally manage the security of the Headquarters network perimeter, including 

all firewalls, and be responsible for performing intrusion detection, vulnerability 

scanning and auditing on the Headquarters IT infrastructure. 

I have made a commitment to the Secretary that we will implement fixes to the 
significant vulnerabilities identified in the Independent Oversight review of the 
Headquarters within sixty days. Consistent with our practices when we find a site 
that has significant weaknesses, I have asked the Office of Independent Oversight 
to reassess the Headquarters in early fall to verify that we have resolved the serious 
weaknesses that were identified in the April review. The Secretary has requested 
regular updates on progress to close the Headquarters vulnerabilities. 

CONCLUSION 

In summary, the cyber security program in the Department of Energy in June of 
2000 bears little resemblance to the program in place just a year ago. We have put 
updated cyber security policies in effect; our security training has improved the ef- 
fectiveness of our system administrators and informed our management of upgraded 
cyber security threats; each site has upgraded its security controls and have im- 
provement plans to be executed as resources are available; and a review and follow- 
up process using the Secretary’s Independent Oversight function permits the De- 
partment to objectively assess our status. Although we have made great progress, 
there is room for improvements. Clearly, the review of the Headquarters shows that 
we have significant weaknesses that require immediate attention. Moreover, the De- 
partment believes that the Headquarters must set the standard for the rest of the 
Department on how it implements security of cyber systems. The Secretary and I 
are fully committed to ensuring that the Headquarters is a model for the rest of 
the Department. 

Beyond fixing the clear weaknesses, the Department is moving to strengthen se- 
curity in a number of areas. Current focus areas for improvement are eliminating 
the use of dear-text reusable passwords, implementing consistent security architec- 
tures at each site, using automated tools to review firewall and intrusion detection 
logs to identify and then automatically block access from internet sites that are at- 
tacking DOE sites, and automated distribution of software patches to make the 
process of patching vulnerabilities more rapid and reliable. 

We know that there is no silver bullet fix for cyber security. Success in this area 
will take continued and focused effort to deal with the increasing complexity of the 
threats and the rapid evolution of technology. Success will also take resources. I 
note that as a part of the Department’s FY 2000 Supplemental request, we asked 
for additional funding to address our pressing security needs for our unclassified 
computers, but as General Habiger noted, we were only appropriated a small por- 
tion of what we requested. While many of the issues identified in the review of the 
Headquarters and other DOE sites are not the result of lack of funding, accelerating 
implementation of protections mechanisms does take additional resources. We look 
forward to continuing to work with Congress to fund our important cyber security 
programs and we commit to providing you continued visibility on our progress. 

Thank You. 

Mr. Upton. Thank you. 

I would just note that the House was in session and voting until 
nearly midnight last night. We also have a number of subcommit- 
tees that are also meeting at this time, and by unanimous consent 
I will ask that all members of the subcommittee will have an op- 
portunity to enter their opening statement into the record. 

You will see a number of members coming in and out. We’re 
going into session, I know, at 10. I don’t expect votes for a while 
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as we complete yet another long day today on the Labor, HHS ap- 
propriation bill. 

General Habiger, I know that you’re prepared for some of the 
questions that we’re going to have in light of the opening statement 
by Mr. Bliley, Mr. Stupak and myself with regard to the missing 
disks and the hard drives; and I happen to find it, as I read the 
morning papers this morning, fairly incredulous that it appears as 
though these disks have been missing for a number of weeks. Only 
86 individuals had access to these disks, in fact; and, of those 86, 
only I believe 26 were allowed to have unescorted access to the 
disks. 

A number of members of this subcommittee traveled to look at 
all the labs earlier this year. We visited extensively, I thought, Los 
Alamos. We had a number of meetings with your staff and others 
before we came, terrific staff support as well. 

Could you describe the vault? And I don’t know that we visited 
this particular vault where these were taken. 

At Los Alamos, the vault we did visit, we went through this long 
drive through these almost mountain passes and went through se- 
curity that was very well armed and photo ID. I mean, it was ex- 
tensive to get in. In fact, I think it took us about 20 minutes to 
actually get into the vault because of the security. We probably 
spent more time going through the security to get into the vault 
than we actually spent in the vault. And I don’t know whether that 
was the vault — you know the groundwork much better because you 
have been there. I’m sure, a number of times. Is that the vault, the 
one that actually goes into almost into the mountain where these 
two disks were taken? 

Mr. Habiger. No, sir. The vault in question is in the main build- 
ing, technical area three, they call it. 

Mr. Upton. Is that where Wen Ho Lee’s office is? 

Mr. Habiger. Yes, sir. 

There are three levels of protection before you get into the vault 
itself I’d rather not go into the details in open session, but let me 
tell you that there are extensive security procedures that are in 
place at each level of in-depth security that would preclude anyone 
except those that are authorized to be in that area to gain access 
to the vault. The vault itself serves about — is relatively small, 
about 10 feet wide and about 20 foot long. 

Mr. Upton. Now, as I understand it, these two disks 

Mr. Habiger. Two hard drives. 

Mr. Upton. Two hard drives that are missing were, in fact, in 
a locked bag, is that right, inside the vault? 

Mr. Habiger. Yes, sir. 

Mr. Upton. And in fact, the bag itself was, in fact, compartmen- 
talized, with locked compartments within the bag; is that right? 

Mr. Habiger. Yes, sir. 

Mr. Upton. The way that I understand it is, when it was discov- 
ered, the empty compartment was, in fact, locked; is that right? 

Mr. Habiger. Yes, sir. 

Let me just back up a little bit and explain the scenario. 

The fire at Los Alamos began on, as I recall, Thursday, May 4. 
On the evening of May 7, Sunday, late, nearly midnight, the deci- 
sion was made to go into the vault by two individuals who are an- 
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thorized unescorted access into that vault to take the kit — the kit 
is a kit used by the Nuclear Emergency Search Team, NEST, to 
rapidly deploy to situations that require some of our Nation’s best 
minds to look at an improvised nuclear device or perhaps a stolen 
nuclear weapon. These individuals pull on-call duty. We have mem- 
bers of our scientific community at both Los Alamos, Livermore 
and Pantex on duty, on call 24 hours a day, 365 days a year. 

In order to ensure that that capability was still available to re- 
spond very rapidly, the decision was made to go into the vault late 
Sunday night as the fire began to burn out of control. They went 
into the vault, they inventoried — and you can inventory the hard 
drives by just feeling them. They’re a little bigger than a deck of 
cards, about two-thirds as wide as a deck of cards. They could not 
feel the hard drives in the locked container. 

There are three kits. They were in kit No. 2. They immediately 
went into kit No. 3 to pull out two hard drives. One’s the primary. 
The second hard drive is the backup. They took the two hard 
drives, the two containers out of kit three, put it in kit two and im- 
mediately evacuated the area and put the kit two with the kit 
three hard drives in a more secure — by secure I’m talking about 
safe, out of harm’s way in relation to the fire. 

They immediately reported to other individuals on the NEST 
team that they went into the vault, they couldn’t find the hard 
drives to kit two, and, as you recall, on Monday, May 8, the lab 
was shut down completely because of the life-threatening aspects 
of the fire. The lab did not come back up until Monday, May 22; 
and when the labs started back up again on Monday, May 22, it 
was not all 10,000 people going back to work. It was a gradual 
buildup of activity. The first things that were looked at were the 
safety considerations. 

I will also tell you that during this entire course of the fire, I was 
in contact — along with Deputy Secretary Glauthier, we had people 
on duty 24 hours a day, and the security systems were up and run- 
ning the entire time. Now there were certain situations where we 
had to pull guards out of certain areas and put them out of harm’s 
way, but we still had a credible security at all of the facilities 
there, to include this vault. 

So the labs started up on Monday, May 22. On Wednesday, May 
24, a full-scale search was begun within the X division and any- 
place that the NEST activity could have taken place. We were in- 
formed on the evening of June 1 that those hard drives were miss- 
ing. 

Ed Curran, the Director of Counter Intelligence, immediately 
went to the FBI headquarters and informed them. Deputy Sec- 
retary Glauthier was in communication with Dr. Browne at the 
laboratory. On Monday, during a video teleconference with Dr. 
Browne, it was determined that Dr. Browne indicated that he had 
intensely searched the facility and could not find the two missing 
hard drives. 

At that point. Deputy Secretary Glauthier directed that I, with 
Ed Curran, go to FBI headquarters, which we did. We met at 
around noon with senior officials at the Bureau. It was determined 
that we jointly do an investigation, DOE and the FBI. At 8:30 that 
night, Monday night, I was in Los Alamos. At 7 o’clock the next 
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morning, we had a sizable number of FBI agents, about 15, 10 
DOE personnel; and we started at 7 o’clock Tuesday morning; and 
we didn’t finish up until nearly midnight that night. Our first 
interviews began that first day. 

I was recalled — I was actively engaged until this past Saturday. 
I was asked to come back to testify at this hearing. I came back 
Sunday, and I plan on going back tomorrow. 

Mr. Upton. When you say that there was an intensive search for 
these disks, was there an intensive search between May 8 and May 
22 ? 

Mr. Habiger. No, sir, because the lab was completely shut down. 
And you had to be there — and I went there — I went there on May 
19, as I recall. I flew over the site; and I will tell you, sir, that it 
was life threatening. There was absolutely no activity except secu- 
rity and fire fighting that went on from that period — essentially 
from May 7 through May 22. 

Mr. Upton. But the individuals that had access to the disks, 26 
folks who had unescorted access, they weren’t then at the facility, 
right? They all left? 

Mr. Habiger. Yes, sir. Yes, sir. And there’s no indication whatso- 
ever — see, there’s a log that is created based upon the entry proce- 
dures, again which I’d rather not go into here. A telephone call has 
to be made. That call is recorded. Passwords have to be given. It’s 
an elaborate process. 

Mr. Upton. Right. But was any effort taken with the 26 people 
that had access to that until the May 22? I mean, what I’m saying 
is those people weren’t there, those 26 people. They went someplace 
where it was safe. You knew that the disks were missing since May 
8. The lab was closed from May 8 to May 22. Those individuals 
who had access and actually could have perhaps retrieved or taken 
those disks went someplace where it was safe. Was any effort 
taken by the Los Alamos security folks to, in fact, interview any 
of those 26 people during the fire? 

Mr. Habiger. No, sir. The total focus during that period was 
the — saving the laboratory from destruction from the fire. 

Mr. Upton. But we knew that disks were missing before the fire 
took place. 

Mr. Habiger. Sir, there were a relatively small number of indi- 
viduals that knew that. You will have to talk to lab personnel — 
and, again, we are trying to determine through a series of inter- 
views, the FBI and Department of Energy — at last count over 90 
interviews had been accomplished, interviews that last anywhere 
from 30 minutes to 3 hours since Tuesday of last week. Those 
interviews continue as we speak. 

Mr. Upton. Are polygraphs being used on those interviews? 

Mr. Habiger. They will be beginning tomorrow, yes, sir. 

Mr. Upton. Mr. Stupak. 

Mr. Stupak. Thank you, Mr. Chairman. 

General, you speak of kit No. 2 as having the missing hard 
drives. Is there a kit No. 1? 

Mr. Habiger. Yes, sir. 

Mr. Stupak. Is that all intact? 

Mr. Habiger. Yes, sir. 

Mr. Stupak. Okay. So the one we’re talking about is kit No. 2? 
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Mr. Habiger. Absolutely. 

Mr. Stupak. Once you get into the area where the kits are 
stored, where this NEST kit is stored, aren’t the keys to get into 
these bags just hanging right there on the wall? 

Mr. Habiger. Sir, there are two sets of keys. There’s a set of 
keys on the wall, and there’s a set of keys attached to the kit. 

Mr. Stupak. So once you get to the kit area you can have access 
to those kits either by taking the keys off the wall or ones on the 
kit; is that right? 

Mr. Habiger. Yes, sir. 

Mr. Stupak. And the people who are in there, there are 26 who 
had to be escorted and about 60 others who did not need to be es- 
corted? 

Mr. Habiger. Fifty-seven. Sixty’s close enough. 

Mr. Stupak. So then when the kit — when it was discovered that 
kit No. 2 was missing the hard drives and you had the fire, there 
was no attempt to ascertain from these possibly 56, 57 people and 
the other 26 people what they did with it during this time? 

Mr. Habiger. Sir, the access to the vault is, as I mentioned, very 
tightly controlled. Anyone who goes into the vault during off-duty 
hours has to go through this elaborate procedure to get into the 
vault where it’s documented. There is also a log in the vault for 
those people who are not allowed unescorted access, that they have 
to sign in. So those 57 individuals, whenever they went in, they’d 
have to sign in on a log. They couldn’t go in by themselves. I 
went — when I went to the vault, had to sign in on a log, and I was 
escorted. 

Mr. Stupak. And hopefully everyone signed in, but we don’t 
know if everyone signed in. 

Second, you mentioned off duty. What about regular business 
hours? Do people sign in all the time then? 

Mr. Habiger. Let me back up, sir. Those kinds of questions are 
being asked now. I have seen the logs. I can’t confirm 

Mr. Stupak. They may be asked now, but I guess the part that 
still puzzles me, why weren’t they asked between May 8 and May 
24 when the fire got under control? Why did it take almost 2 weeks 
before anyone started asking the questions? These 56 people or 26 
people weren’t out fighting the fire, were they? Certainly you had 
access to them. They could have asked these questions. 

I would think on May 8 when you’re missing the kits, two hard 
drives from these computers, there’d be some concern and start 
asking questions. While you have the fire. I’m sure you’re not out 
there fighting the fire. I’m sure someone would have at least start- 
ed some investigation instead of waiting until June 1 to notify the 
FBI that everyone’s returned, we still can’t find these things. I 
guess that is the laissez-faire attitude that I really have problems 
with. 

Mr. Habiger. Well, sir, these kinds of questions that you’re ask- 
ing are good questions. And as a result of the investigation, which, 
by the way, is a criminal investigation at this point, we will find 
the answers to these questions; and we will take the appropriate 
action. The lab director will take the appropriate action. 

Mr. Stupak. In the Washington Post this morning you said, and 
if I can quote you, the disks and the hard drives missing at Los 
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Alamos were probably misplaced or lost rather than stolen. How 
did you reach that conclusion? 

Mr. Habiger. Sir, I’d rather not go into that in this session. 

Mr. Stupak. Well, you know, you talked to the Post about it. 
That is certainly in open session. 

Mr. Habiger. Yes, sir. I will stand by that statement based 
upon 

Mr. Stupak. Was that the official line or do you have something 
to back it up? Is the official line that, well, it must be misplaced 
or lost rather than stolen or do you really have some proof, without 
getting into it, that they were, in fact, misplaced? 

Mr. Habiger. It’s my judgment, sir, based upon my exposure 
over the past week of working nearly 15, 16 hours a day and being 
an integral part of the process. 

Mr. Stupak. Okay. Has anyone yet told you or anyone else that 
the disks were set down or misplaced and just can’t remember 
where they were? Do you have any idea who was the last person 
who had access to this kit No. 2? 

Mr. Habiger. Sir, there’s no requirement to inventory the disks. 
As a matter of fact, because of changes in security policies across 
the entire government, there’s very little requirement to inventory 
classified material. 

Mr. Stupak. So if I get in the vault, I take kit No. 2, I don’t have 
to sign out — don’t have to sign it out or anything? 

Mr. Habiger. No, sir. 

Mr. Stupak. So my library book in Menominee is more secure 
than these disks once I get access, get my hands on it? 

Mr. Habiger. Sir, the individuals who have access to those kits 
are dedicated, loyal Americans. 

Mr. Stupak. I don’t dispute that, but you can’t dispute we have 
two of them missing. 

Mr. Habiger. Yes, sir. 

Mr. Stupak. You can’t dispute that when they took them out 
there’s no procedure in place to identify even who took them out. 
Once you get to the magic ring, you take the magic ring and you 
leave, and there’s no check-out of that. 

Mr. Habiger. But you have to get to the magic ring. 

Mr. Stupak. Right. It sounds like it wasn’t too difficult, if you 
have about 80 or 90 

Mr. Habiger. There are 26 people who had access, uncontrolled 
access, unescorted access. 

Mr. Stupak. Okay — 26 unescorted access, and then another 56 or 
57 who would have to be escorted. And I guess our concern is, if 
it’s 26 who have unescorted and if they’re missing the — May 7 or 
May 8 and they come back May 24, because they were good people, 
no one thought it was necessary to check with those 26 what hap- 
pened in the interim? 

Mr. Habiger. No, sir. I think it was a focus on a catastrophic 
event that was occurring, that many people’s lives were at risk. 

Mr. Stupak. I don’t disagree with that, but do you think it was 
a mistake not to at least begin an investigation to try to figure out 
where they were, if someone honestly misplaced them we could get 
them back here, so you wouldn’t be back here answering my ques- 
tions? 
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Mr. Habiger. Sir, that is one of my questions that we’ll have an- 
swered as a result of our investigation. 

Mr. Stupak. General, last May, Secretary Richardson said there 
was a, “zero tolerance security policy.” He said, “no security infrac- 
tions are acceptable, and penalties would be strengthened.” These 
would include, “verified unintentional or reckless breaches that cre- 
ate a significant risk of a national security compromise or that dis- 
plays a wilful disregard for security procedures.” That was May 11, 
1999. Is that policy still in place today? 

Mr. Habiger. It certainly is, sir. 

Mr. Stupak. Is what happened at Los Alamos with kit No. 2 a 
security infraction or is it an oversight by a scientist? At a min- 
imum, you would have to agree the information has left its proper 
secured location, has it not? 

Mr. Habiger. Sir, I will tell you that when we find the answer 
to the question as to who was responsible, I guarantee you that 
that individual will be dealt with appropriately under the Sec- 
retary’s very aggressive policy of zero tolerance. 

Mr. Stupak. You would agree with me at a minimum right now 
we have information that has left its proper secured location, it left 
the vault, that hard drive, kit No. 2 , correct? 

Mr. Habiger. Yes, sir; and what we’re trying to find out is how 
that happened and where those hard drives are today. 

Mr. Stupak. Now in the same area — that is the same place 
where Wen Ho Lee worked, and he’s not been charged with espio- 
nage but security breaches involving weapons information, and he’s 
been in solitary confinement in a Federal prison for many months. 
It appears from the public statements being made by DOE officials 
that they’re already trying to say that this situation is somehow 
different, someone just lost the information. Is that how a zero tol- 
erance policy is to be enforced? 

Mr. Habiger. Congressman Stupak, we don’t know. We’ve been 
at this for 7 days. I’d like to think that the aggressive action of 
both the Federal Bureau of Investigation and Department of En- 
ergy will get us some answers soon. Frankly, the polygraphs, being 
the next step, will allow us to do that. 

Mr. Stupak. Sure, I hope we do get to the bottom of it, but I 
guess it’s a little bit like I’ve been hammering away for the last 
couple of years. I’ve been on this subcommittee now for 6 years. 
There seems to be this attitude or atmosphere at our labs that 
things happen, you know. And we try to get some answers, and 
we’ll come back and report to Congress. But we really don’t see 
anything changing. When we say in May 1999 there’s zero toler- 
ance and we come back to a situation like this — and I don’t know 
how you can say this is any different than May 1999. It should be 
zero tolerance. Someone lost the information. 

Mr. Habiger. Sir, and as soon as we find out who lost the infor- 
mation, who misplaced the information, you can — I can guarantee 
you that very swift, appropriate action will be taken. 

Mr. Stupak. Thank you for the extra time, Mr. Chairman. 

Mr. Upton. You’re welcome. 

Mr. Bryant. 

Mr. Bryant. Thank you, Mr. Chairman. 
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I apologize to the panel for being late, but we had, as the Chair- 
man said, other commitments. So I haven’t had the benefit of hear- 
ing all your statements. I have looked through some of the state- 
ments. I do, like my colleague from Michigan, both colleagues from 
Michigan, the Chairman and Mr. Stupak, have concern here. 

It is much like when your house gets broken into, the police offi- 
cers come out and say, well, you know, we’re going to find out what 
happened here, and we are going to work long and hard hours to 
get there, and if we catch them we’re going to punish them se- 
verely. Given the nature of what’s been missing here, it’s not a bur- 
glary of a home; and given the nature of the zero tolerance policy 
and given the nature of the history of who we’re talking about 
here, it is very disappointing to hear those same things: Well, we’re 
going to find out what happened, and we’re working hard to do it 
right now, 16 hours a day, and when we get them we’re really 
going to punish them. 

But I think maybe. General, one of things you said struck me, 
and it may be an example of this attitude that my friend, Mr. Stu- 
pak, refers to. I think you start with the presumption, and that’s 
the key word, the presumption that because we’ve got good dedi- 
cated Americans there, there’s an answer. Rather than the pre- 
sumption that there’s been a criminal activity, or something very 
important is missing, and we better really get going here very 
quickly. I think that’s the example, is the investigation, which any- 
body that knows, any basic investigatory techniques knows you 
don’t wait 3 weeks to start an investigation after a crime such as 
this occurs. You get right on it. And I realize there were exigent 
circumstances involved here, but it just seems to me to have de- 
layed the actual investigation questioning of all those people that 
had access to this room should not have occurred. 

I don’t know that it was necessary at your level that this oc- 
curred, this decision was made, but at some level of security at Los 
Alamos, that that decision was made that, it’s probably, “some- 
body’s got it home or using it at home or something like that,” and 
that may not have been proper, but the presumption, or the as- 
sumption, was there’s a good reason out there. Somebody’s got it, 
rather than it could have been taken — it could have been stolen. 
Somebody could have taken it out, had access. 

Again, I think it’s the mindset that because these people are 
good, dedicated Americans who work hard out there, that somebody 
could not commit a criminal act. Therefore some 2 to 3 weeks we 
had a delay in the investigation which, if somebody has wrongfully 
taken it out, it could be no telling where now. We might get that 
person eventually, and punish them, but this country has lost 
something very important. Let me go back if I could, Mr. Podonsky, 
to questions. 

In your report, you recommend that the department consider 
mandating a standdown at all external Web service until signifi- 
cant vulnerabilities are identified or clarified during the inspection 
that occurred during your inspection and a correction is made to 
these. Why did you recommend this standdown, and has that been 
done by the Department of Energy? 

Mr. Podonsky. First of all, we put that recommendation in what 
we call our opportunities for improvement as the feedback loop to 
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provide the office that we’re inspecting, or the Office of Responsi- 
bility, to consider that which would be John Gilligan’s office. In Mr. 
Gilligan’s corrective actions plan, it does not appear that they are 
planning to do a standdown. They have other solutions that they 
have in mind to address the issue that we have identified. We rec- 
ommended the standdown, getting to the first point of your ques- 
tion, because we felt that until they can do their risk assessment, 
we would not know what vulnerabilities existed. 

Mr. Bryant. But you have made recommendations in the report. 
I’m looking here at a question that says — this is kind of skipping 
on down — six further cyber security enhancements were announced 
in May 1999 by the Secretary, that they were transferred infor- 
mally to the management and may have resulted in confusion and 
lack of implementation. What does that mean to you? What do you 
know about that? 

Mr. PoDONSKY. Well, the six further enhancements, there was a 
nine-point plan, the TriLab nine-point plan from the results of last 
spring. In addition to the nine-point plan, there were six enhance- 
ments that the Secretary put out. Those enhancements were not 
put out as a policy. They were put out in memorandum form. We 
took that from an inspection standpoint to mean that they should 
be followed and should be further memorialized into policy. Mr. 
Gilligan’s office, during last summer, was looking into that and me- 
morializing those things. We felt that the same thing we were 
doing in looking at it out at the sites and field should be applicable 
at the headquarters as well. 

Mr. Bryant. There was an issue also about Web pages, some of 
the Web pages being inside the security wall and some being out- 
side. Are you familiar with that issue? 

Mr. PoDONSKY. Yes. I am. Let me ask my office director for cyber 
security to address that. 

Mr. Peterson. That also really relates to your first question on 
the standdown — that relates to your first question on the 
standdown. The recommendation was to standdown the head- 
quarter’s Web servers located out of what’s referred to as the DMZ 
or the screen subnet. Those we found to have significant 
vulnerabilities that could either result in a Web defacement or 
somebody taking over those systems and using them to illicitly at- 
tack another Internet entity, and our recommendation was then to 
do a standdown. We thought it would take a day or two to fix those 
and then put them back on line securely. 

Mr. Bryant. What is the date of your report that recommends 
the standdown? When did you recommend that? 

Mr. Peterson. Our initial draft report went out the last week in 
April. 

Mr. Bryant. Let me go over to Mr. Gilligan. Could you respond 
to some of these issues, especially some of the recommendations, 
the implementation of the policy from DOE on those six additional 
points? Could you just respond in general to those? 

Mr. Gilligan. Yes, sir, I would be happy to do that. First let me 
address the Web pages. As the report accurately points out, we 
have a subset of the Web pages that are supported by headquarters 
organizations that are in the highly protected enclave we call a 
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screen subnetwork. They’ve been there for the past year. Those are 
viewed as being very secure. 

There is another set of Web pages that are supported by indi- 
vidual organizations. They are managed by those individual organi- 
zations and some of them were found to have significant weak- 
nesses. The recommendation of the independent oversight organi- 
zation was that a rapid remedy was to standdown, that is, take the 
Web pages off the Internet and to fix them, that is, fix them indi- 
vidually. The recommendation that I provided to the Deputy Sec- 
retary and the Secretary was not to continue to manage these as 
separate entities, but to move all of the Web pages within the 
headquarters into this protected area, the screen subnetwork that 
was found by the independent oversight penetration team to be ex- 
tremely well protected. 

Mr. Bryant. Has that been done? 

Mr. Gilligan. That is in the process of being done at present 
that consists of moving the software, moving, in some cases, the 
physical computers into the screen subnetwork in order to ensure 
they are adequately protected. My judgment was that the 
standdown was not an immediate action. It was warranted because 
the vulnerability that exists within the headquarters as a result of 
these Web pages is relatively minor. The threat to the head- 
quarters is that these Web pages could be defaced, which is an em- 
barrassment. There is no loss of operational ability as a result of 
a Web page not operating. 

The other potential vulnerability is that a Web page, or any com- 
puter, could be used as a platform for attacking other sites, and in 
this case, attacking sites outside the Department of Energy, be- 
cause the Department of Energy’s computers are well protected 
from our Web sites, that is, there is no trust relationship. So we 
made the decision to rapidly move these Web pages into the screen 
subnetwork in order to provide the security that I felt was a better 
solution. 

Addressing the second issue which you raised, which was the six 
further enhancements. The six further enhancements were pub- 
lished by the Secretary with something I contributed to last sum- 
mer. We have, in fact, embodied those six further enhancements in 
our policies. The recommendation of the Independent Oversight 
Group was that perhaps additional policy is needed in order to en- 
sure that all sites clearly understand what is to be implemented in 
these six further enhancements. 

Six further enhancements discuss things like providing configu- 
ration control of all computers, providing scanning of the networks, 
reviewing audit logs and conducting regular audits. All of those re- 
quirements are, in fact, codified in our policies. It is the view of my 
office that rather than change and add to the policies, what we 
need is guidelines, that is, how to implement the policies on these 
six further enhancements, again, that are covered in our policies so 
that there is no ambiguity and we are moving forward to imple- 
ment that. 

Mr. Bryant. Mr. Chairman, my time is finished. Before I con- 
clude my statement, I would like to ask unanimous consent to add 
a White House release with regards to the memorandum from the 
heads of executive departments and agencies and the subject is ac- 
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tion by Federal agencies to safeguard against Internet attacks. It’s 
dated March 3, 2000. 

Mr. Upton. Without objection. 

[The memo appears on pg. 46.] 

Mr. Upton. The Chair would note that we have two votes on the 
floor, and I will ask Ms. DeGette whether she would prefer now 
using 5 minutes or come back after the two votes. 

Ms. DeGette. Mr. Chairman, I might as well ask my questions 
now. We still have over 10 minutes. Thank you. Thank you, Mr. 
Chairman. 

General, I would like to follow up on some questions Mr. Stupak 
was asking you. I guess we’re all glad that you’re investigating the 
situation, but given the fact that you discovered the disks missing 
on May 7, and no one was really told until May 22, and now there’s 
an investigation, I guess I’m wondering what is your timeframe at 
this point for completing the work you’re doing? 

Mr. Habiger. Let me back up, if I may, and tell you — and this 
relates to Congressman Bryant’s question about the timelines be- 
tween the evening May 7 when the hard drives were discovered 
missing, and the evening of June 1 when I was notified — or we 
were notified at DOE headquarters. That is not a good scenario. 
Someone should have informed us much earlier on in the process. 

Ms. DeGette. I agree, like maybe May 7 or early on May 8, but 
that’s not my question. 

Mr. Habiger. I want you to know here you had a situation where 
you had the lab on the verge of burning down. 

Ms. DeGette. Sir, I understand. I understand what your expla- 
nation is for why there was no notification, but my question is, 
what is your timeframe now for completing the work that you are 
doing to figure out what happened and how to avoid it in the fu- 
ture? 

Mr. Habiger. At this point, the FBI is now in the lead for the 
investigation. 

Ms. DeGette. We’re glad about that, too, but what is their time- 
frame? 

Mr. Habiger. Ma’am, I was called back to take part in this hear- 
ing. They begin polygraph examinations beginning tomorrow. They 
are moving very, very aggressively. I cannot give you an end date. 

Ms. DeGette. Mr. Chairman, I would just make a request that 
this committee would consider another oversight hearing in 30 
days just to examine the progress. This is such a serious national 
issue, I think that we should keep monitoring. 

Mr. Upton. You’re right. 

Ms. DeGette. Thank you, Mr. Chairman. 

Let me ask you a few more questions. I understand the fire was 
there when these drives were discovered missing. Where were the 
kit 2 and the kit 3 hard drives stored during the fire? Where were 
those stored? 

Mr. Habiger. They were stored in another technical area in a 
very secure vault. 

Ms. DeGette. At the Los Alamos site? 

Mr. Habiger. Yes. 

Ms. DeGette. And out of risk of fire? 

Mr. Habiger. Yes, ma’am. 
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Ms. DeGette. You had said that it was chaotic because of the 
fire, and that’s why your office wasn’t informed. Was the lab direc- 
tor informed at that time? 

Mr. Habiger. No, ma’am. I cannot — I’ve got some information 
third-hand, but I don’t think Dr. Browne was informed until to- 
ward the end of the period, the very end of the period. 

Ms. DeGette. Until close to May 22 or June 1? 

Mr. Habiger. After that just a few days before June 1. 

Ms. DeGette. Do you have any sense why that happened? 

Mr. Habiger. No, ma’am. I would defer to Dr. Browne. 

Ms. DeGette. Was Mr. Curran — DOE’s counterintelligence spe- 
cialist informed? 

Mr. Habiger. No, ma’am. 

Ms. DeGette. Who, if anyone, was informed? 

Mr. Habiger. On the evening of June 1 is when we first discov- 
ered that there was a problem. 

Ms. DeGette. To your knowledge, between May 7 and June 1, 
no one higher up was informed? 

Mr. Habiger. That’s absolutely correct. 

Ms. DeGette. Is what you were investigating why that hap- 
pened? 

Mr. Habiger. The primary concern is to get this classified data 
back. 

Ms. DeGette. I would agree, but in my experience, when you’ve 
got classified data in the form of disks and it’s gone from May 7 
until June 1, it’s going to make the job of getting that data back 
much more difficult. Would you not agree? 

Mr. Habiger. I couldn’t agree more. 

Ms. DeGette. So therefore, it would seem to me that a second, 
and almost equally high priority would be trying to determine why 
the gap, the almost month — the 3-week gap, occurred because in 
the future, if you have gaps like this, it would make it virtually im- 
possible to get data back, correct? 

Mr. Habiger. I would put the priorities getting the information 
back, finding out who was responsible for that data, or those hard 
drives being put in a place where they shouldn’t have been. And 
then the third priority is your area that you’re getting into now. 

Ms. DeGette. General, there is a clear protocol in place that re- 
quired contractors like the University of California and program of- 
fices to inform your office immediately when this type of classified 
information is missing, correct? 

Mr. Habiger. Within 8 hours. 

Ms. DeGette. Within 8 hours. And have you ever been informed 
of these kinds of breaches in the past? 

Mr. Habiger. Yes. 

Ms. DeGette. Was it done within 8 hours? 

Mr. Habiger. Yes. 

Ms. DeGette. Do you think this is just a one-shot situation or 
do you think there is a bigger problem? 

Mr. Habiger. At this point I don’t know because the focus, as I 
said, has been where are the hard drives, who is responsible. The 
process will take its turn and we’ll take the appropriate action. The 
lab director will take the appropriate action. 
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Ms. DeGette. Mr. Podonsky, do you have any views on that 
issue? 

Mr. Podonsky. We have not been involved in this investigation, 
so to answer the question, we have no — we don’t have any more in- 
formation than what you’ve heard this morning. 

Ms. DeGette. Now, we’ve heard that Mr. Curran has told the 
press that there’s no evidence that this is espionage, and someone 
else said the disks are just lost. Do we have any evidence that this 
is not espionage or theft for money? 

Mr. Habiger. Ma’am, before you came in, I covered that in a 
very generic sense, and this is not the forum to get into it, but look- 
ing at what we know at this point, it does not appear, as Mr. 
Curran pointed out, to be espionage. 

Ms. DeGette. I assume you would want to treat this as a poten- 
tial case of espionage. 

Mr. Habiger. That’s correct. I’m not speaking for the Federal 
Bureau of Investigation, but that’s how the case would be charac- 
terized by them. 

Ms. DeGette. Thank you. Thank you, Mr. Chairman. 

Mr. Upton. The Chair would note there are at least two votes 
on the House floor. We’ll recess until 10:50. 

[Brief recess.] 

Mr. Upton. We do not expect votes for an hour or 2, so we’ll be 
done by then, I hope. 

Mr. Burr is recognized for questions. 

Mr. Burr. Thank you, Mr. Chairman. General, welcome again. 

Mr. Habiger. Good to see you again, sir. 

Mr. Burr. Glenn, we always welcome you back. I’m hopeful 
there’s a point where maybe we’re not sending you out to do eval- 
uations, that, in fact, we’re confident on the process that we’ve got. 
Clearly with the news cycle in the last 24 hours, there are some 
questions that I’ve got to ask about that probably would be better 
directed at the General. And I’ll try to get refocused back on the 
DOE headquarters issue. 

General, it’s been stated that there was a date that they knew 
that these drives still existed in a secure vault. Was that April 7? 

Mr. Habiger. On April 7, sir, there was an inventory by mem- 
bers of the team, the NEST team, in which the individual who con- 
ducted the inventory has indicated that he saw the disk. Another 
inventory was conducted on April 27, and the individual at that 
time, a different individual, didn’t actually see the disks. His state- 
ment was along the lines, if the disks were not there, it would have 
created a very aggressive reaction. So he remembers doing the in- 
ventory, but he doesn’t remember actually seeing the disks. 

Mr. Burr. Without getting into specifics about what were on 
these disks, we know they were related to NEST scenarios. Is there 
any reason to believe that an individual at the facility would have 
needed access to that particular disk for purposes of something 
they were working on? 

Mr. Habiger. From the information I’ve been exposed to in a rel- 
atively short period of time, those disks were taken out from time 
to time to be updated with more current information, and they 
were taken out by certified people for training purposes. 
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Mr. Burr. When I was at Los Alamos, we didn’t visit that par- 
ticular vault. We did do several vaults. We also did a reference 
room or library room and the security was extremely tight, even for 
us to enter. And we walked through their scenario of if an indi- 
vidual — if a scientist at the facility wanted to take out that infor- 
mation, what’s the process they would go through? There was one 
person in that room whose responsibility it was to account for ev- 
erything. Things checked out, to make sure they were checked back 
in. I’m sure there was additional security to make sure it didn’t go 
offsite. My question would be, what was the process in this par- 
ticular vault when an individual took something out and then re- 
placed it. Is there a record that we can go back to? 

Mr. Habiger. No, sir, there’s not. 

Mr. Burr. Can you explain to me why for the reference room, the 
library room that was frequently used, that we would have a proc- 
ess that followed the movement of these papers, but why there 
wouldn’t be a process that followed the movement of hard drives? 

Mr. Habiger. My observation goes along these lines. The vault 
you’re talking about, you’re talking about virtually thousands of 
people who have access, and the vault I’m talking about, the people 
who had unescorted access to these kits was less than 30. 

Mr. Burr. Does it not — in hindsight. I’m not asking you to put 
yourself before it — in hindsight, does it seem like a reasonable rec- 
ommendation that we track who removes that type of sensitive in- 
formation and when, and potentially when they return it? 

Mr. Habiger. Yes, sir. This is one of the many things that we 
are looking at to change as a result of this particular incident. 

Mr. Burr. Is it the responsibility of DOE officials at Los Alamos 
or the University of California officials? 

Mr. Habiger. University of California. 

Mr. Burr. To account for all the items? 

Mr. Habiger. Yes, sir. 

Mr. Burr. Let’s go back to this period of delay, and we all fol- 
lowed the fire. Should we be worried that there was a security 
breakdown during this fire episode at Los Alamos? 

Mr. Habiger. I talked on a regular basis to the director of secu- 
rity at Los Alamos during the fire. All security systems were up. 
Some compensatory measures had to be taken in a couple of areas 
which I was fully in agreement with. 

Mr. Burr. If I understand it, correct me if I’m wrong, this vault 
facility is in the main building? 

Mr. Habiger. Yes, sir. 

Mr. Burr. I guess close to where that library reference room 
was? 

Mr. Habiger. Yes, sir. 

Mr. Burr. Just simply because of the work space, and that was 
not a building that was left unsecured at any time. 

Mr. Habiger. At any time, no, sir. 

Mr. Burr. Was it ever a building that was evacuated of the peo- 
ple? I remember it being so far away from the forest. 

Mr. Habiger. During the fire, there was no one in that building, 
but the security systems were all up and running. Inside that 
vault. Congressman Burr, were sensors, motion sensors, infrared 
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sensors that had to be turned off before anyone had access to the 
vault. 

Mr. Burr. Clearly, there was no indication of a security breach 
that happened? 

Mr. Habiger. No, sir. 

Mr. Burr. Let’s go to this delay in notification. What is the ex- 
planation that the University of California supplied DOE on why 
they waited so long to tell DOE officials? 

Mr. Habiger. We have not gone down that path. As I indicated, 
I think, just before you came in, I was not pleased with the length 
of time that it took before I was notified, before my office was noti- 
fied, which was on the evening of June 1. During my almost week’s 
stay at Los Alamos, we were focused on three major considerations, 
the first being where are the disks, and who is accountable for the 
disks not being where they are supposed to? As we go down the 
path and we have a very structured inquiry process, part of that 
process is to come up with explanations for the kinds of things that 
you are identifying now. 

Mr. Burr. I don’t want to seem too simplistic, but I put myself 
in charge of the Los Alamos lab. I envision being in a situation 
where there’s a month’s delay before I notify the Department of 
Energy that high level security hard drives are missing, and I envi- 
sion the first question that I’m asked, why did it take you so long 
to inform us? I would take for granted that question was asked. If 
there wasn’t an answer, that’s fine, but clearly I think that — we 
have reason to be concerned because the last time we saw a delay 
like this was whether we sold a computer to an exporter of Chinese 
relationship and, you know, when we got through the whole proc- 
ess, we learned that the delay in notification, especially of us, was 
in hopes that they would retrieve it before anybody found out about 
it. 

Is this one of those situations where there was a hope by officials 
that the University of California and at Los Alamos that they 
would find the disk and not have to report it? 

Mr. Habiger. I don’t want to put words into Dr. Browne’s mouth, 
but my observation is that scenario that you’re just describing. 

Mr. Burr. Let me — I thank you for that. I do. I don’t think it’s 
any member’s intent that we are going to solve this case today, but 
we appreciate your willingness to let us explore some of the ques- 
tions. 

Mr. Chairman, do I have time to go into some of the head- 
quarters’ questions? 

Mr. Upton. Can we go another round and you can do that? 

Mr. Burr. I would be happy to do that. 

Mr. Upton. Mrs. Wilson. 

Mrs. Wilson. Thank you, Mr. Chairman. Again, I appreciate 
your willingness to let me ask some questions here today. 

As I said in my opening statement, I don’t intend to go into some 
of the details of the most recent incident in Los Alamos, because 
the questions that I want to ask are very specific, and I don’t think 
that the answers would be appropriate in an open forum. But I 
think we have summarized pretty clearly what the questions are 
from this committee’s point of view and from my point of view. 
What happened to those hard drives? Is there a compromise to 
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America’s national security? Who is accountable for it? And how 
are we going to make the systemic changes needed to make sure 
it doesn’t happen again? And did the notification procedure work? 

As I understand it, John Browne, the director of the lab, didn’t 
even know they had a problem until May 31, which is the day be- 
fore he informed you which means there’s a problem lower down 
within the lab on processes of notification. I understand completely 
that an investigation could not have been done fully until after the 
fires were under control, and I think all of us in this room under- 
stand that, that you can’t do the arson investigation until the fire 
is out. At the same time that doesn’t preclude prompt notification 
that we may have a problem, and I think those are all legitimate 
questions we’re going to be seeking answers to. 

I’d like to focus on a couple of other things from your testimony 
in the time that I have available. First, this question of funding for 
cyber security at the Department of Energy. I note from the testi- 
mony, particularly General Habiger, yours, concerning the need for 
supplemental funds. I went back and checked my records, because 
this was an important issue for me. According to my records for fis- 
cal year 2000, the supplemental requested by the administration — 
now, you may have asked for more money from the Office of Man- 
agement and Budget, but it may not have gotten approved — ^be- 
cause the administration requested $4 million for cyber security 
from the Congress. I thought that was way too low, and so several 
of us from this Congress met quietly with folks who know a little 
about cyber security and the problems at the nuclear weapons labs, 
and they confirmed that that was way too low. 

I made a request of the Appropriations Committee in the Con- 
gress for $90 million in supplemental funds for cyber security for 
the Department of Energy, and the House approved $45 million for 
cyber security. That’s currently sitting over in the Senate, and 
pieces of it may be pulled out and added on to one of the bills that 
we’re about to work on in the next couple of weeks here. 

I guess what I want to know is, what are you talking about with 
$35 million? Is that what you asked 0MB for and are you now 
going to continue to support the administration’s $4 million re- 
quest? Are you going to support what the House put into the bill, 
which is $45 for cyber security immediately? 

Mr. Habiger. We’re talking about fiscal year 2000 amend- 
ment — 

Mrs. Wilson. Current fiscal year, yes. 

Mr. Habiger. We submitted a request for $65 million for security 
in the Department of Energy in that supplemental, $65 million. We 
received $10 million of that $65 million. Thirty-five million of that 
was for cyber security. The $10 million that we got was not di- 
rected toward cyber security. I personally directed that $7 million 
of that $10 million be dedicated to cyber security. That is what, as 
I understand it. Congresswoman Wilson, came over on July 13 of 
last year. 

Mrs. Wilson. July 13, 1999? 

Mr. Habiger. Yes, ma’am. 

Mrs. Wilson. You’re talking about 1999 money, not 2000 money? 

Mr. Habiger. Supplemental 19 — an amendment for fiscal year 
2000 that was submitted on July 13. 
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Mrs. Wilson. Gentlemen, without meaning any disrespect, I 
think you may want to go back and talk to your budgeters about 
which years we are talking about, and which supplementals we are 
talking about, because there was a supplemental request for cyber 
security for the current fiscal year, we are in fiscal year 2000, and 
it was for $4 million from the administration. That was the re- 
quest. We upped it to 10 times as large. 

Mr. Habiger. It was — the fiscal year 2000 we submitted on the 
July 13, 1999, an amendment. 

Mrs. Wilson. You are talking about when the budget was ini- 
tially passed for the current year. I am now talking about the sup- 
plemental that is pending in this House currently. The administra- 
tion only asked us — after all of the Cox report, after all of you went 
out to look at the labs, after we got all of the reports in that said 
we were way under our estimate of what we’re going to need for 
cyber security — and the administration’s request for a supple- 
mental for what we need right now, today, to get moving and get 
this thing fixed was $4 million. My sense was that was way too 
low, so we upped it to 10 times that amount, and we’re going to 
vote on it here. What do you want me to vote on? You want me 
to back off on this and go with the administration at a $4 million 
supplemental request or do you want me to keep fighting? 

Mr. Habiger. I would like you to keep fighting. 

Mrs. Wilson. Thank you, sir. 

With respect to this diagram that we see over here, it has a num- 
ber of firewalls around the top of it and yet it’s got a number of 
connections at the bottom of it which seem to go to other areas 
within the Department of Energy and contractor facilities and so 
forth where they don’t appear to be firewalls. Could you talk to me 
about the vulnerability of the DOE unclassified systems through 
those other areas? 

Mr. Peterson. For the classified systems or for the — I’m sorry, 
the contractor facilities, what we’re specifically talking about there 
are local contractor support in the Washington, DC area so a pro- 
gram office would establish a connection with a local supporting 
contractor. That’s not to imply that those go out to the national 
laboratories or other sites. 

The other connection that’s shown up there for the DOE business 
net is to 38 different DOE field sites throughout the country. Now, 
some of those field sites are collocated behind firewalls with other 
sites. For example, at Oak Ridge, you’d have collocated there Y 12 
and Oak Ridge National Lab, but for the Albuquerque field office, 
there’s no connection to Sandia or Los Alamos. So it’s going to vary, 
but specifically, talking about the connections to the DOE Federal 
facilities. We have a concern because you’re exactly right, there’s 
not a firewall at the headquarters junction where you have these 
connections, and then they become logically part of your head- 
quarters’ internal network. There’s no firewalls or security features 
to prevent access from those remote sites. These — each one of these 
facilities may have their own firewall. They may have modem con- 
nections which then provide pathways into the internal head- 
quarters network, and our concern has been that that risk has not 
been adequately addressed and considered. 
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Mrs. Wilson. I ask unanimous consent to ask this one final 
question. Does that mean that someone can get access to the con- 
tractor facility, and then from there get into the DOE unclassified 
system? 

Mr. Peterson. That would be a concern, yes. 

Mrs. Wilson. Thank you, Mr. Chairman. I would like to enter 
into the record the report of dissenting additional views of the 
Emergency Supplemental Appropriations Act for the year ending 
September 30, 2000, where it states very clearly that with respect 
to cyber security, the committee recommendation for cyber security 
activity is $49 million, an increase of $45 million over the adminis- 
tration’s request of $4 million. 

Mr. Upton. Without objection. 

Mr. Green? 

Mr. Green. Thank you, Mr. Chairman. I ask unanimous consent 
to place my statement into the record. 

Mr. Upton. Without objection. 

Mr. Green. General, you seem to want to tell us that the prob- 
lems at the headquarters are not the fault of poor management and 
lack of attention but of dollars. That’s what we’re hearing in re- 
sponse to this morning’s article where the Secretary said the com- 
mittee only approved a small amount of funding for last year. But 
Mr. Podonsky said these are not high ticket items, and now you 
say we can fix these problems within 60 days. That doesn’t sound 
like a money problem to me. And is it a money problem or are we 
talking about something different when you say it can be fixed 
within 60 days? 

Mr. Habiger. We’re talking about two different things. Congress- 
man Green. Had we received adequate funding at the beginning of 
the fiscal year, we’d have been able to move out quickly in terms 
of training systems administrators, going out and perhaps finding 
these problems before Podonsky found them, and I would readily 
admit that the basic problems involve the organizational issues 
that Mr. Gilligan talked about, but again, it goes back to a money 
issue. If we had received adequate funding, I don’t — in my judg- 
ment, our performance would have been better. 

Mr. Green. Mr. Podonsky, were these problems caused by lack 
of money or lack of oversight or management skill? 

Mr. Podonsky. First of all. Congressman, I would like to say 
that in the 16 years I’m reminded I’ve been in the department, and 
have lived through six secretaries, nobody other than Secretary 
Richardson has applied as much attention in management skill to 
the security issues as the Secretary. However, having said that, I 
would also say that my staff concluded that a vast majority of the 
issues at the headquarters unclassified cyber security were man- 
agement-related, not financially related. There are some financial 
aspects to it, but clearly, the fragmentation that exists among the 
various pods in the headquarters need to be fixed and fragmenta- 
tion doesn’t take money. 

Mr. Green. You don’t have to — a lot of us served with Secretary 
Richardson and consider him a good friend, and he’s diligent and 
I understand that. Sometimes we wonder, even in Congress, if it’s 
a mistake when we do something successfully. 
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Let me ask everyone on the panel, it’s my understanding that 
DOE is considering opening the bidding for the contract to run Los 
Alamos National Laboratory, which is currently held by the Uni- 
versity of California, in fact, I understand for the last 50 years. 
Given the problems that this lab has had along with the new rev- 
elations that is in today’s news media, would you recommend that 
this contract be open for bidding? 

Mr. Habiger. Congressman Green, let me tell you right up front, 
I have not been involved in the contract of the laboratory. At this 
particular point in time, I have no recommendation one way or an- 
other. 

Mr. Green. Anybody else? Since we seem to have problems at 
Los Alamos and even Livermore, that if someone has had a certain 
contract for those years, is it something we can look at the con- 
tractor? Is it DOE? 

Mr. PoDONSKY. I think. Congressman, it gets back to the basic 
accountability in that people, whether they be contractors or Feds, 
need to be held accountable for their responsibilities that they are 
assigned. 

Mr. Habiger. The Secretary has made that very clear on a num- 
ber of occasions. 

Mr. Green. One last question, again, raised from the article this 
morning. I was told that the unit that was lost or misplaced, that 
the unit was not the one involved in the test at Lawrence Liver- 
more in early May. The article said that it was. Can you state for 
certain, or is it possible that we may be looking in the wrong lab 
for it? Maybe it’s still in California. Again, since it was discovered 
missing on May 7 and reported on June 1, is that a possibility? 

Mr. Habiger. Sir, we dispatched two Department of Energy in- 
vestigators who hooked up with two FBI agents at Lawrence Liver- 
more, and every conceivable place was searched and interviews 
were conducted. This occurred on Tuesday of last week. 

Mr. Green. Again, Mr. Chairman, whatever time I have left, I 
share the concern of all the members of the committee, and be- 
cause of the nature of what would happen, or what could happen 
with — we’re concerned about rogue nations and things like that, 
that if a terrorist had the ability to utilize this information on how 
we would respond to a terrorist attack with a nuclear device. So 
I would just encourage the Department of Energy and our con- 
tractor to do everything they can to make sure that they find it, 
but also that this doesn’t happen again. Thank you. 

Mr. Upton. Thank you, Mr. Green. 

Mr. Bilbray. 

Mr. Bilbray. Mr. Chairman, I appreciate your having this hear- 
ing. General, I’m not going to ask any questions except for the fact 
that as a father of five, I sure hope my kids aren’t watching and 
reading about this incident. I only say it because I don’t know how 
many times a parent will say where is the last time you saw it, 
who was responsible for it, you know, the whole concept we have 
of personal accountability, and this just really makes it tough for 
those of us who are trying to teach our children to be personally 
responsible for their little part of the world that they’ve got control 
over. 
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And this situation just really is inexplicable to a young person, 
let alone a child, about, well. Daddy, what did the Federal Govern- 
ment do with this? Why is this — why don’t they know where their 
important stuff is? Didn’t they clean their room and keep it tidy so 
they know where they hid it? And I’m just here to listen because 
I’d like to find more answers so that, God forbid, if they ask me 
when I get home on Friday what happened, where is it, are they 
going — who is going to be held accountable, I want to at least have 
some answers for them, because this thing I think is a whole credi- 
bility issue that goes farther than just one department in this gov- 
ernment. It really, really hurts our credibility as the servants of 
the American public and as the guardians of world freedom. I yield 
back, Mr. Chairman. 

Mr. Upton. Thank you, Mr. Bilbray. 

I have a couple more questions. We’ll start a second round. 

General Habiger, it’s my understanding that they knew the disks 
were there in April. When was the last time that all the disks were 
known to be accounted for? 

Mr. Habiger. In kit number 2, the last fully confirmed audit was 
on April 7. We have an unconfirmed audit or inventory by an indi- 
vidual, as I indicated before, said that if they weren’t there, he 
doesn’t remember seeing them, but he said if they weren’t there, 
it would have rang alarm bells. 

Mr. Upton. So really not until May 8 did you realize 

Mr. Habiger. May 7, sir. 

Mr. Upton. May 7 that they were there. 

Mr. Burr. Would the chairman yield for one clarification. 

Mr. Upton. Yes. 

Mr. Burr. General, was that the only thing in that vault or are 
there other sensitive documents or disks or hard drives? 

Mr. Habiger. There were three kits in that room, sir. 

Mr. Burr. When you say they were a kit, kit No. 1 was ac- 
counted for on April 7. 

Mr. Habiger. Kit number 2. 

Mr. Burr. Does that tell us that kit number 1 and kit number 
3 were not accounted for on April 7? 

Mr. Habiger. That is true. 

Mr. Burr. I thank the chairman. 

Mr. Upton. And there was more than just the kits. Could you 
describe this vault again. Those of us that went out, we were in 
the library there. The library is sort of the secure room that was 
there. We did not — I don’t believe we saw where this vault was in 
the building, but is it similar to the other vaults that we saw? 

Mr. Habiger. Sir, it’s much smaller. It’s about ten foot wide, 
about 20 feet long there. There were two long tables, a number of 
shelves, a small two-drawer safe. There were some documents. 
There were other hard drives. 

Mr. Upton. Is there security outside of the room then as well? 

Mr. Habiger. Yes, sir. Sir, this is a vault. I mean, this is some- 
thing that, again, in open session without — I’d rather not go into 
the details, but this is something you and I would take several 
weeks trying to break into. I’m talking about dynamite and explo- 
sives and that sort of thing. 
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Mr. Upton. Of the — is it 28 or 26 individuals that have access 
to it without being escorted? 

Mr. Habiger. I believe the number is 26, sir. 

Mr. Upton. Of those 26, are all of them U.S. citizens? 

Mr. Habiger. Oh, yes, sir. 

Mr. Upton. No foreign nationals? 

Mr. Habiger. Oh, no, sir, no, sir. 

Mr. Upton. I just want to make sure. 

Mr. Burr. Mr. Chairman, would you yield? Twenty-six individ- 
uals have access to the kits? 

Mr. Habiger. Unescorted access. 

Mr. Burr. Are there any other individuals who have unescorted 
access to the vault? 

Mr. Habiger. 57. 

Mr. Burr. 57 to the vault? 

Mr. Habiger. Yes, sir. 

Mr. Upton. They have to be escorted, though. 

Mr. Habiger. Escorted. 57 escorted. 

Mr. Burr. My question is, is there a difference in those that have 
access to the kits and access to the vault? Is it the same list or is 
it one and the same? 

Mr. Habiger. The people who have unescorted access can open 
up the vault. The 57 who have escorted access have to have some- 
one who has unescorted access, open the vault and let them in to 
do what they have to do. This is a good point and I should have 
clarified it earlier. The vault was a dual-purpose vault. On one side 
of the vault you had the NEST activities, and on the other side of 
the vault you had the ASCI, the Advanced Strategic Computer Ini- 
tiative activities on the other side of the vault. 

There is an individual who is accountable for that vault. It’s an 
individual who has unescorted access to the vault, and she is re- 
sponsible for who gets in there and makes sure that only people — 
the people that have unescorted access are watched by her if she’s 
in there. If she’s not in there, the door should be locked. 

Mr. Burr. Unescorted access means they have total access to ev- 
erything in that vault? 

Mr. Habiger. Yes, sir. 

Mr. Burr. The right side and the left side you’re describing? 

Mr. Habiger. Yes, sir. 

Mr. Burr. I thank you. 

Mr. Upton. Have all the folks with access to the vault been 
quizzed already? 

Mr. Habiger. Sir, all of the people who have unescorted access 
have been interviewed. Most of the people, primarily based upon 
availability who had unescorted access, have been interviewed. 

Mr. Upton. Now they are going back to reinterview all the indi- 
viduals with a polygraph; that begins tomorrow? 

Mr. Habiger. The FBI is working up a list of people that they 
will polygraph. The FBI is in charge of the polygraphing process. 

Mr. Upton. I want to go back to the dollar amount that Mrs. 
Wilson raised with regard to the supplemental. Before I was in the 
Congress, I served at the Office of Management and Budget. I was 
very aware of different agency requests that came in, and ulti- 
mately what happened to them up on the Hill, and it was one of 
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the reasons that a number of us wanted to go out and visit the 
labs. Actually, I think it was the hearing that you might have been 
at last summer, where a number of us indicated we had never been 
there and we wanted to get a better understanding of just exactly 
what was there, so we could have a helpful hand in making sure 
that security was appropriate. 

Mr. Podonsky and others provided many details to us. As we un- 
dertook the Department of Energy’s budget last year, I do remem- 
ber there were additional requests that came in, but it was in- 
cluded as part of the overall spending bill that was adopted in, I 
believe it was October, and everything was on the table, and if the 
administration, I think, had pushed a little bit harder, or even 
some would suggest pushed, in fact, the full funding amount would 
have been included as part of the overall bill. But it is sort of sur- 
prising that as it wasn’t all funded, that the Department of Energy 
would only — I should say the administration would seek only $4 
million, which we have now requested more than 10 times such, 
but based on the testimony by Mr. Gilligan this morning where, in 
essence, he indicated that problems were identified a year ago and, 
in fact, within 60 days, a system would be set up to make sure 
there wouldn’t be any problems and that’s without any funding at 
all. 

As we look at the level of funding that we’ve done with the labs, 
the labs were very careful to tell us that security was No. 1 and 
that they would find — they identified a number of weaknesses that 
were out there and that they would find the resources to fix the 
problem, no matter what the cost, and, in fact, I think they’ve done 
that, would be my sense, as they’ve testified to us earlier. 

I just wondered why isn’t A, the same standard there at the 
headquarters and B, how are you able to do it now? It sounds like 
you’re able to do exactly what you wanted to do without an extra 
dime coming your way. 

Mr. Gilligan. Sir, I appreciate the question, and let me if I 
could, go back and make clear, the request that we made last sum- 
mer for $35 million as a budget amendment for the fiscal 2000 was 
something that I personally worked. In fact, my initial rec- 
ommendation was for $50 million. Working with the Department, 
we were only able to identify offsets, that is, other budget reduc- 
tions within the Department to support $35 million. That came 
through the administration over to Congress. We got 7 million. Of 
that, $1 million was earmarked for a specific project; so $6 million 
to be able to dedicate against the priorities that we identified. 

Frankly, I was surprised that we didn’t get support after we had 
had the hearings and the discussion, especially in view of the fact 
that the Department provided offsets, other budget reductions. 
Those offsets were taken to fund other priorities. 

Subsequently I was given an opportunity — I was given a cap of 
$4 million to identify additional cybersecurity initiatives that we 
could request in a budget supplemental, and we did. 

Now, to address your specific question on the current head- 
quarters review, the significant problems that we’ve identified, 
many of them can be fixed with limited dollars, I will readily admit 
that. There are some significant management issues that we can 
address in the Deputy Secretary’s memo, which, in addition to the 
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policy authority that I have for the Department, now gives me line 
operational authority for the headquarters computer security. I can 
now work to put the management changes that need to he in effect 
to he able to fix most of the problems. 

However, I still need additional funding to fully implement pro- 
tections to solve some additional weaknesses that I am aware of on 
that picture. For example, at the lower left of that picture, you see 
a cloud network. That is the DOE network. That network connects 
our headquarters with all of our Federal operations. That is some- 
thing I am responsible for. We, in fact, do have a policy, and we 
have enforced the policy that each of the sites must have a firewall 
before they can connect to DOE Net. Mr. Podonsky’s review identi- 
fies that additional security measures would be warranted, and I 
agree, and that would be to create an additional protection so that 
one site that potentially is compromised could not affect another 
site. 

That will take funding. That funding is something I have re- 
quested now in the 2001 budget, and I would appreciate support 
for that. So we will be able to implement some of the fixes, some 
of the configuration management enforcement. Some of the connec- 
tion policies we will be able to implement. We will not be able to 
implement some of the full enhancements that I would like to do 
to get the headquarters up to the level of my comfort without addi- 
tional funding in fiscal year 2001. 

Mr. Upton. Thank you. I know my time has expired. I’d just like 
to tell all members that we’re looking at having a classified closed 
briefing with General Habiger on the issue of the missing hard 
drives, not only with this subcommittee, but also with other mem- 
bers on Intelligence as well as Armed Services, and it could be 
later today. 

Mr. Stupak. 

Mr. Stupak. Thank you, Mr. Chairman. 

General, the way I understand it here, there are three kits, two 
hard drives each. So there’s a total of six hard drives. 

Mr. Habiger. Yes, sir. 

Mr. Stupak. Can you tell us when the last time all six were 
present and accounted for? 

Mr. Habiger. I can tell you that — not all six. I can tell you that 
4 of the 6 were accounted for when the lab began their aggressive 
inventory on the — beginning May 22. 

Mr. Stupak. May 22? 

Mr. Habiger. Yes, sir. 

Mr. Stupak. All right. Why would you take the hard drives out 
of kit three and put it in kit two? 

Mr. Habiger. So you’d have an operational capability. 
Remember 

Mr. Stupak. But then that renders kit three incapable, right? 

Mr. Habiger. The hard drives are all the same. One’s primary, 
one’s backup. The concern was to get an operational kit out of 
harm’s way, and so the individuals who went into the vault at 2300 
on May 7 made a decision to move the two hard drives. 

Mr. Stupak. All right. Well, move them out of harm’s way, we’re 
talking here about a wildfire. From my watching of the news and 
everything else, it seems like a wildfire is threatening to an area 
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or a place for a day or two because it’s a wildfire, and then it moves 
on. Your testimony is that from May 8 to May 22 

Mr. Habiger. Sir, the winds were constantly changing, and the 
winds were up to 60, 70 knots during this period, and initially — 
and you had massive changes, 180-degree wind changes of these 
very high winds, and the exposure or the risk to the lab would go 
up 1 day and down the next, just depending on which way the wind 
was blowing. 

Mr. Stupak. Well, if it would go up 1 day and come down the 
next, during that time did anyone make any efforts then to try to 
locate these disks? 

Mr. Habiger. As far as I know, no, sir, and let me point out that 
the Los Alamos — the city of Los Alamos and the laboratory were 
shut down, were evacuated. National Guard troops were in place. 
State police, to ensure that. 

Mr. Stupak. Okay. Let me just — and I know a statement was 
made earlier that you can’t do an arson investigation while a fire 
is ongoing. Having been in police work for 12, 13 years, I totally 
disagree, because during an arson investigation there are things 
you look for, people around there, the evidence, containers, fire 
trails, the burn patterns. Those are all key parts of any arson in- 
vestigation, and I’m sure they are in any investigation. I’m still be- 
fuddled why we waited until after May 22 and you not being noti- 
fied until June 1. I just find that unacceptable and — ^but I’m sure 
we can get into that some other time. 

Mr. Podonsky, you’re in charge of the Independent Oversight for 
security at DOE, correct? 

Mr. Podonsky. Yes, sir. 

Mr. Stupak. And you spent a lot of time out there last year and 
after it was determined that classified information was being 
downloaded into unclassified systems; did you not? 

Mr. Podonsky. Yes, we did. 

Mr. Stupak. One of the things you told the subcommittee in Oc- 
tober when we held a hearing on the security situation at the 
weapons lab was that there — and I am going to quote now — there 
were weaknesses in access controls at areas where classified weap- 
ons information was used and stored. Is that correct? 

Mr. Podonsky. That is correct. 

Mr. Stupak. And that’s not a cybersecurity issue, it’s a plain old 
physical security problem. In fact, you were talking about areas ex- 
actly like the vault in which the lost hard drives were stored, cor- 
rect? 

Mr. Podonsky. That is correct, but we were not at the TA three 
area. 

Mr. Stupak. I know you weren’t talking specifically about that 
vault at that time. It’s the idea of the same old physical security 
problem. Now that we’ve established that the disks were in the 
emergency response kit for the NEST team, and the kit was in a 
locked suitcase-like container with other locked containers inside, 
these hard drives were in one of those containers. The suitcase, 
however, was accessible to anyone in the room. We’ve already es- 
tablished there were keys there, you could get at them. Can you 
explain to me then how a situation could have been allowed for this 
type of security breach? I mean, if it’s plain old physical security. 
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and that was a concern a year ago, why would we have the keys 
right there, accessible, attached to the kits or hanging on the wall? 
It just seems like a great opportunity to access it by somebody who 
should not access it. 

Mr. PODONSKY. I can answer generically since we are not directly 
involved in what’s currently under investigation. However, I will 
tell you in August when we were there, they were rated satisfac- 
tory, the overall site security, and then again in December, and 
that was based on the performance that we saw at the sites within 
the laboratory that we inspected. We maintain and believe that 
that was a satisfactory performance. 

There is a human element in security, and that’s something that 
is always unpredictable. Obviously, as I said, we don’t have the de- 
tails of what’s going on in the investigation, but we had seen, just 
like in the downloading of classified to an unclassified Net, there 
is always that human element, regardless of all the administrative 
controls that you put in. 

Mr. Stupak. Exactly. There’s a human element. I think when we 
raised it earlier, I was reminded that these are good, hard-working, 
honest people. No one up here is saying they’re not, but the fact 
remains we still have two hard drives missing that can’t be ac- 
counted for, that can’t be remembered where they are. 

And explain something else for me if you can, and maybe I’m — 
explain how a nuclear weapons laboratory can have a satisfactory 
security program, but can lose or have removed weapons, design 
and intelligence information such as on these hard drives? How can 
they get a satisfactory? 

Mr. PoDONSKY. At the time that we inspected them, they were 
performing at a satisfactory level, and all the things that we tested, 
the guards, the cybersecurity, the material control accountability, 
they were not only in compliance with the DOE requirements, but 
they were performing well, albeit this latest news event that just 
occurred is not a satisfactory situation, but that does not, in our 
view, taint the entire laboratory’s performance. It does call into 
question a lot of other issues that I’m sure General Habiger will 
talk in a closed session. 

Mr. Stupak. In the previous hearings we’ve always brought up 
this atmosphere that exists at the lab, rather relaxed atmosphere, 
and I’ve been one who always talked about accountability and re- 
sponsibility, and then we continue to see these satisfacto^, satis- 
factory, and then we hit another embarrassing-type situation. So I 
guess that goes back to that human element. No matter how hon- 
est or how well we think employees are, there’s still going to be a 
degree of human element that you can’t put satisfactory on. Is that 
a fair statement? 

Mr. PODONSKY. I would say there’s a — with any corporation, in 
DOE in particular, as we’ve seen, there’s some very dedicated peo- 
ple there that are doing the job for very noble reasons, and there’s 
always going to be the human element that you cannot put a satis- 
factory on. 

I am reminded when we used to do safety oversight, we had a 
number of very serious and near fatal accidents at the laboratory. 
Not everybody took safety seriously until it happened to some of 
their own researchers. So that human element is something that 
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it is very difficult to quantify. So what we do is we don’t just look 
at technical systems, we look at management systems. We try to 
get to the root cause. We’re not at all trying to indicate that we 
hide behind the curtain of the human frailties, but that’s some- 
thing that has to be considered. 

Mr. Stupak. Thank you, Mr. Chairman. 

Mr. Upton. Mr. Burr. 

Mr. Burr. Mr. Gilligan, let me attempt to answer a question you 
raised or a statement that you made, and this is a response from 
me personally. You said that you were surprised that the budget 
request was not fulfilled, and I would only share from a standpoint 
of somebody that I think has been in every security briefing that 
we’ve had, open or closed, has followed the process to the extent 
that over the break I traveled to California for a three-stop tour in 
2 V 2 days, and has followed not only the General’s suggestions, but 
the Secretary’s statements, that many of the things that were stat- 
ed up front have not been fulfilled. 

I am not here to judge whether they should have been made or 
should have been carried out, but we made some changes along the 
way, and that’s understandable as we’re addressing a crisis of the 
moment. I think the lack of any specific funding that might not 
have made it is a lack of confidence that we have the right plan 
in effect, or that we’re concerned on whether we will implement 
what it is that we have endorsed, or there’s not that degree of need 
to accomplish what has been explained to Congress. 

So the challenge is indeed on your part and on the part of Gen- 
eral Habiger and of the Department of Energy to make sure that 
every Member of Congress understands what the cost of the proc- 
ess is, and that may be a more elementary challenge on your part 
than we have had in the past, but we are not going to knee-jerk 
to a crisis that exists. We’re going to ask for the documentation, 
and we’re going to ask for the accountability that what you tell us 
is accomplished. 

Let me move back to the current situation for just a few more 
questions. General. What do you mean by escorted? When a person 
is escorted, what does that mean, into that vault? 

Mr. Habiger. They have to be accompanied by someone who un- 
derstands the security requirements. 

Mr. Burr. Would that individual have to be on that list of 26 in- 
dividuals? 

Mr. Habiger. Yes, sir. 

Mr. Burr. For secure access by themselves? 

Mr. Habiger. Yes, sir. 

Mr. Burr. You mentioned, I think, ASCI information additionally 
was stored in that vault? 

Mr. Habiger. Yes, sir. 

Mr. Burr. Is that accounted for and secure today? 

Mr. Habiger. Yes, sir. 

Mr. Burr. All of it? 

Mr. Habiger. Yes, sir. As a matter of fact, the laboratory in the 
nuclear weapons arena. Dr. Browne directed as of 1700 hours yes- 
terday that a 72-hour lock-down of the nuclear weapons area be ac- 
complished, and that all plans, security plans, be reviewed, and 



45 


that all classified media, documents be accounted for. That’s to be 
accomplished over a 72-hour period. 

Mr. Upton. Would the gentleman yield? 

Mr. Burr. Yes. 

Mr. Upton. When somebody is in the vault, and they are to be 
escorted, does the escort then have to stay with that individual the 
entire time they are within the vault? 

Mr. Habiger. Yes, sir; again, 10 feet wide, 20 feet long. 

Mr. Upton. So if you need the escort, there’s always at least two 
people in that room? 

Mr. Habiger. Absolutely, sir. 

Mr. Burr. General, if you can’t answer this, I understand it, 
we’ll address it later, but after an individual has possession of this 
hard drive, how easily is it usable? Is it a plug and play? 

Mr. Habiger. Yes, sir. 

Mr. Burr. Okay. Was this the most sensitive information in the 
vault? 

Mr. Habiger. Yes, sir. 

Mr. Burr. Let me ask you, you referred to the fact that the FBI 
has taken the lead in the investigation, and you expect next week 
for the FBI to begin a polygraph process. 

Mr. Habiger. Tomorrow. 

Mr. Burr. Tomorrow, once they have identified individuals. We 
know the record with polygraph as it relates to our scientists. This 
is not something that they do enthusiastically. Do you have any 
reason to believe that any of the individuals that will be targeted 
would object to this initiative? 

Mr. Habiger. I will give you a very definitive answer in closed 
session, sir. 

Mr. Burr. I thank you for that. 

Let me move, if I could, to why we’re here today. Glenn, last time 
you testified here, I believe you very emphatically told us that the 
message was getting out on security, that that had been heard, and 
today you’re telling us that DOE headquarters heard the wake-up 
call. Is that right? 

Mr. PODONSKY. Yes, sir. 

Mr. Burr. If DOE headquarters really heard that call, then why 
do you find such a bad situation involving very basic principles of 
computer security? 

Mr. PoDONSKY. Well, sir, as I started to mention in my response 
to Congressman Green, I’d like to iterate, in all the time that we’ve 
been in the Department, we’ve seen some very egregious manage- 
ment systems in place, a lot of repeat issues that should have been 
dealt with over the last 16 years. Many issues have been written 
about in our oversight reports. Various administrations did not 
have it high on the priority. 

Eor obvious reasons, this administration, together with this Con- 
gress, has focused a great deal on security in Department of En- 
ergy, and to you all’s credit as well as this Secretary, we have seen 
a quantum change. It doesn’t mean they are there where they need 
to be, but clearly the headquarters, the responsibility that John 
Gilligan has being further clarified by his Deputy Secretary 
Glauthier’s memo will further help him do the job that he was 
hired to do, but in addition, he and his staff have been focusing on 
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the field extensively. So quite candidly, until the management proc- 
esses were in place, we did not see that they were going to be very 
successful at bringing the headquarters into the same level that 
the field is now getting into. 

We believe with the corrective action plan that Mr. Gilligan’s of- 
fice has prepared, if all the items in there get carried out, we do 
believe it’s going to be going in the right direction. That’s why we 
say that we’ve seen a difference. It is taken in respect to what 
we’ve seen over the last 16 years. 

Mr. Burr. Most of us who have served for several years consider 
Bill Richardson to be a friend, and we know that every effort he 
goes out on is genuine and passionate. So I think we would hold 
in the same regard the Secretary’s willingness to address this prob- 
lem. The follow-through is something that this committee continues 
to be baffled at, and I would only point to the March 3, 2000, 
memorandum from the White House, and that memorandum, in 
the last paragraph it said, accordingly. I’ve asked each Cabinet 
Secretary and agency head renew their efforts to safeguard their 
department’s or agency’s computer systems against denial-of-serv- 
ice attacks on the Internet, stepping up the awareness of a security 
breach. 

That was March 3, 2000. 

It also said, I have asked my Chief of Staff John Podesta to co- 
ordinate a review of the Federal Government vulnerabilities in this 
regard and report back to me by April 1. 

[The information referred to follows:] 

The White House 
Office of the Press Secretary 

March 3, 2000 

For Immediate Release March 3, 2000 

MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND 
AGENCIES 

SUBJECT: Action by Federal Agencies to Safeguard Against Internet Attacks 

America and the world have benefited tremendously from the amazing advances 
we have seen with the Internet and computer technology. But with every new tech- 
nological advance there are new challenges, and we must meet them — both Govern- 
ment and the private sector — in partnership. 

Following recent Internet disruptions, I met with experts and leaders of the infor- 
mation technology industry so we could work together to meiximize the promise of 
the Internet, while minimizing the risks. These Internet disruptions high-light how 
important computer networks have become to our daily lives; and how 
vulnerabilities can create risks for all — including the Federal Government. 

Accordingly, I ask each Cabinet Secretary and agency head to renew their efforts 
to safeguard their department or agency’s computer systems against denial-of-serv- 
ice attacks on the Internet. Within legal and administrative limits, attention should 
also be paid to contractors providing services. The Federal Computer Incidence Re- 
sponse Center (FEDCirc) and the National Infrastructure Protection Center (NIPC) 
have available software tools to assist you in these efforts. 

I have asked my Chief of staff, John Podesta, to coordinate a review of Federal 
Government vulnerabilities in this regard and to report back to me by April 1. 

William J. Clinton 

Mr. Burr. Mr. Podonsky or General Habiger, can you share with 
us what Mr. Podesta reported to the President relative to the state 
of security at the Department of Energy? 

Mr. Gilligan. Sir, I’d be happy to tell you. In fact, I was one of 
the authors of that memo that the President signed. Under my role 
as cochair of the Federal CIO Council, Security, Privacy and Seen- 
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rity Infrastructure Committee, I have a responsibility to help ad- 
vise the administration across the Federal Government. We pre- 
pared that memo for the President. We prepared a process working 
with Office of Management and Budget, Mr. Podesta’s staff, to get 
reports from each Federal agency. Within the Department of En- 
ergy, I coordinated the response. We sent out guidance to each of 
our field organizations, specific technical guidance on how to pre- 
vent denial-of-service attacks. It is a particularly difficult, tech- 
nically challenging 

Mr. Burr. I take for granted that the April 1 deadline for Mr. 
Podesta to get back to the President was a status report, are we 
secure. 

Mr. Gilligan. No. The status report was on those actions that 
have been taken. Security is not a binary function. It is not we are 
100 percent secure or we are 100 percent insecure. It’s a relative 
activity. It’s a very complex set of technical issues that are in- 
volved. 

The status report that was asked for was what was the response 
within each agency to address denial-of-service attacks, and within 
the Department of Energy we reported that each of our organiza- 
tions had taken the guidance that we had issued, they had re- 
sponded to the guidance in a variety of ways, many running spe- 
cific software checks against all of their systems to look for poten- 
tial vulnerabilities that could be exploited, to look for configuration 
controls that would, in fact, allow us to prevent denial-of-service at- 
tacks. 

Mr. Burr. Did the Department of Energy make the April 1 dead- 
line? 

Mr. Gilligan. Yes, we did. 

Mr. Burr. Glenn, your review of security was at the end of April? 

Mr. PODONSKY. Yes, sir. 

Mr. Burr. At that time did you find Web servers at the Depart- 
ment of Energy that could access other agencies? 

Mr. Peterson. We found Web servers, again referring to our dia- 
gram, out in the public area outside of the screen sub-Net, that 
were vulnerable to attack. We proved that by taking over one of 
those machines, and we could have used it to attack a different 
agency. 

Mr. Burr. You could use them to launch a denial-of-service at- 
tack on other government agencies? 

Mr. Peterson. That is correct. 

Mr. Burr. Now, is that what you reported to Mr. Podesta? 

Mr. Gilligan. The report back to Mr. Podesta did not address 
every individual computer within the agency. 

Mr. Burr. So what was the President asking for in this memo- 
randum? I mean, I take for granted he was probably asking about 
some of the most sensitive secure areas. We’re doing an assessment 
of unclassified areas and just our Web servers. We were vulnerable 
to exactly the thing the President said in his memorandum, which 
was denial of service existed. 

Mr. Gilligan. Each of the sites reported the steps that they had 
taken. The headquarters organizations, plural, reported those steps 
they had taken to respond to the denial-of-service attacks. We did 
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not at this juncture verify each and every computer the fact that 
something 

Mr. Burr. If you knew that those existed when you put this re- 
port in, why was Mr. Podonsky’s review of the system needed if you 
knew where we were vulnerable? 

Mr. Gilligan. I am not sure, sir, I understand your question. 

Mr. Burr. You responded to Mr. Podesta for the purpose of his 
reporting to the President the status at DOE by April 1. 

Mr. Gilligan. That’s correct. 

Mr. Burr. At some point thereafter Mr. Podonsky’s still doing a 
review of unclassified systems at the Department of Energy, and 
he finds vulnerable areas. I guess the question is, did you know 
about those vulnerable areas when you reported to Mr. Podesta? 

Mr. Gilligan. Sir, today and in the future there will continue to 
be vulnerabilities in our computer systems. That’s the state-of-the- 
art. There are vulnerabilities in the computer systems that are run 
by this Congress, but that’s the state-of-the-art. The securing of 
these systems is a continuing process. The report back to Mr. Pode- 
sta identified those processes and the verification that each of our 
sites had done. It did not say that there were no vulnerabilities. 
In fact, there are vulnerabilities that continue to be discovered and 
exploited. 

Mr. Burr. Is the vulnerability — and I am not a techie, clearly 
you are — is the vulnerability of a Web server and its potential use 
to launch attacks a new phenomena, or is that something that has 
existed since Web servers have been out there? 

Mr. Gilligan. The potential to use 

Mr. Burr. Is that the last place we look for a vulnerability, or 
is it one of the first places? 

Mr. Gilligan. The Web server is generally not a high risk, a 
highly vulnerable computer, because of the limited functions it per- 
forms, and in general, Web servers are intended for public access, 
and the protection on those is primarily to ensure that the informa- 
tion content that is primarily read only is, in fact, preserved. 

Mr. Burr. Let me turn to Mr. Podonsky, who did the investiga- 
tion. Is a Web server a tool that one should be concerned with if 
that Web server is unsecured and can be used to launch attacks 
on? 

Mr. Peterson. Absolutely. For one, it could be an embarrass- 
ment to the Department having it defaced, and then the second one 
is to have our resources from the DOE to be used in an illicit man- 
ner. 

Mr. Burr. Let me just read from your report if I can. I quote: 
Most of these Web servers were found to be vulnerable to common 
hacking exploits, and some contained vulnerabilities that could 
allow any Internet user to gain system administrator-level privi- 
leges. With this level of privilege an attacker could deface or shut 
down the Web site or configure the server to launch attacks against 
other Internet entities causing public embarrassment to DOE. 

So, in fact, you did put it in your report — in the way that you’ve 
stated it, it sounds fairly serious. 

Let me just ask one last question, Mr. Chairman. 

Glenn, your report also concluded by stating this, and this is 
alarming to me, it really is: Senior management attention is need- 
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ed to establish a management structure conducive to effective un- 
classified cybersecurity at headquarters. Now, we have all praised 
Bill Richardson quite a bit. We have a lot of confidence in you, 
General. We have tremendous confidence in a lot of folks at the De- 
partment of Energy. But, Glenn, I have got to ask you, what led 
you to put that in your report, that senior management’s attention 
is needed? We’ve had a series of security breaches, of management 
blunders, I think. Nobody has ever questioned the commitment of 
the Secretary, but something led you to say senior management 
doesn’t get it yet. Who were you describing when you used the term 
“senior management”? 

Mr. PODONSKY. Let me answer your question in the following 
way. Last week I met with General Gordon, and one of the things 
he asked me about the new NNSA, what are some of the first 
things he ought to do. He was planning to go and do some tours 
of the sites around the complex, and I suggested that he first needs 
to take a look at headquarters, and he needs to take a good hard 
look at how headquarters operates. And I would say that what we 
were aiming at is when we looked at what is the root cause. Gen- 
eral Habiger and John Gilligan and all the folks that are dedicated 
to doing the right thing in the Department have mostly been focus- 
ing outside the headquarters is what our assessment was, and 
there’s an awful lot of organizations within that Department across 
the way there that may need to be working all in unison. 

So our focus was that senior management at headquarters needs 
to also take a look at the operation of the Forrestal as well the Ger- 
mantown building, not just the field offices. 

Mr. Burr. Technical question. My understanding is that DOE 
contractors in some way, shape or form are linked to regional of- 
fices and/or headquarters of the Department of Energy. Could those 
links also be used to launch attacks from, or could those links be 
used to exploit any security measures that we have in place? 

Mr. Peterson. We are concerned with the links from the exploi- 
tation aspect. Obviously it broadens your network perimeter, and 
then it will allow you — if you find the weakest point, then it allows 
you into that broad perimeter of that network, and then if you have 
enough time and skill, then you can take over a machine, a com- 
puter, and then use that to launch an attack against the Internet 
site. So that’s definitely a concern. 

Mr. Burr. General, let me just make one last statement, if I 
could. I do hope we go to a closed session, if not today, very quickly. 

I would only say this, that for a vault containing high-security 
information, one that we were concerned enough with to go 
through a process of individuals who could visit it. No. 1, and from 
that list who needed escorting, that apparently we have a full-time 
person who oversees the entry to that vault and the exit to that 
vault, it is amazing to me that there’s not some record of who 
accessed it when and if anyone removed something from that vault, 
and if so, when it was returned. If this were some type of nuclear 
material of which we have identified a similar set of scenarios that 
we have addressed, one of the remedies was that it no longer goes 
without some type of cataloging of who went, when they went, 
what they did, when it was returned, if it was taken off premises. 
I do hope that that’s a procedure that will change, and if it can’t 
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be accomplished through our current contractor, I hope the Depart- 
ment of Energy will be brave enough to review this contract and 
to look at somebody that can run a facility with the type of proce- 
dures that we need, as Mr. Gilligan said, in an ever-changing tech- 
nological world that every day we’re faced with a new risk and a 
new challenge. 

And with that, I thank all four of you, and I yield back. 

Mr. Upton. Thank you. 

I just want to note, thanks to the membership of Mrs. Wilson on 
the Intelligence Committee, we’ve been able to secure the intel- 
ligence room in the Capitol until 2 o’clock. General Habiger, would 
you be able to come maybe at like 1 until 2:00? 

Mr. Habiger. Sir, at your convenience. 

Mr. Upton. Okay. Well, we’ll put a notice to all members of the 
full committee that that is available, and you know where it is in 
the Capitol; do you not? 

Mr. Habiger. I’ll find it. 

Mr. Upton. It’s hard to find. I’m sure David can help you. 

We’ll yield at this point. I am going to leave here shortly. Mr. 
Burr is going to take over the chairmanship, and I will see you at 
1 o’clock, and at this point we’ll yield to Mrs. Wilson, who has got 
a couple more questions. 

Mrs. Wilson. Thank you, Mr. Chairman. I do have a couple of 
more questions, particularly about cybersecurity at the head- 
quarters. And, General, I have a lot of sympathy for your situation, 
trying to get a job done and convince — I have been in that situation 
myself — trying to convince the budget guys that you have got a job 
to do and you need the resources to do that job and so forth. But 
I do think it’s important to make sure this chronology is in the 
record with respect to cybersecurity, and I think I have kind of 
compiled my own summary of it at this point. And I think it’s im- 
portant for everybody to understand what happened in 1999 and 
where we are now. 

In January 1999, the Cox report was finished in its classified 
form, briefed to the administration and key Members of Congress. 

Of course, by that time, the administration’s budget request was 
already in and up here, and there are a number of requests that 
come in to amend that throughout the year as we are beginning 
work on it. 

On May 14, 1999, the Department of Energy requested an 
amendment to the President’s budget request for cybersecurity. 
That went to the energy and water committee, and that request 
was for $8.5 million, and it was fully funded. 

May 25, the Cox report is publicly released in its unclassified 
form, and there is a firestorm of hearings and investigations and 
responses in both the Defense Committee, the Intelligence Com- 
mittee and this committee all the way through June. It affected the 
defense authorization, intelligence authorization and the appropria- 
tions bill. 

On about July 13, as I understand it, there was a request in the 
energy and water committee for $35 million. General, for your of- 
fice. It was listed as security. The committee asked for further jus- 
tification and breakdown and were not able to get it. This is 24 
hours before the markup in subcommittee. It was not listed as for 
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cybersecurity. It was for the funding of your office, and I have no 
doubt at all that your office needs that funding to do your job. 
Without that supported breakdown, you were given $7 million ini- 
tially from that subcommittee mark, but it wasn’t cybersecurity, it 
was for your operations in your office, and I understand that’s en- 
tirely legitimate. 

It then goes through the House and over to conference. I would 
note that there’s a man named Senator Pete Domenici, who I know 
pretty well, who is on that conference committee, and if there was 
a shortage for cybersecurity, particularly for the nuclear weapons 
complex, it would not have been particularly difficult to get that 
put into the bill. 

In the fall, the labs continue on looking at cybersecurity and 
their needs and making plans and assessments of the costs of this 
whole thing, and when we come back in January, me and a whole 
bunch of other folks were expecting a major request for a supple- 
mental, particularly related to the cybersecurity, but in February 
we get the White House’s supplemental request, and they only 
asked for $4 million for cybersecurity. 

We then get a group together here of experts and others and ask 
in early March, is that adequate? Is this real? And the answer is 
quietly, no, it’s not. It’s not the real number, it’s not the real need. 
So we make the request of Energy and Water in a separate supple- 
mental to bump that up significantly. I ask for $90 million; $45 
million is added specifically for cybersecurity. 

I think that is important as a chronology because, now, I think 
there’s sometimes an attempt to shift blame around. And I under- 
stand that you’re in a difficult situation. You have to get up and 
operating as a security office, but with respect to cybersecurity and 
the requests that come in for cybersecurity, I think the appropri- 
ators have been pretty good at working with those members like 
myself who are concerned about this issue and fully funding the re- 
quests that are identified as protecting our security programs, our 
computer security, and we’ll continue to fight those battles up here 
and get the money that’s needed. I frankly wish that I had more 
support from the administration when it comes to really identifying 
the actual costs that are going to be needed, and I’d appreciate it 
if you’d take that one back. 

I do have some questions concerning this chart, some more 
things. First from Mr. Gilligan, is there a single unified risk assess- 
ment and a security plan for the headquarters network as a whole? 

Mr. Gilligan. Congresswoman Wilson, there is not, and, in fact, 
I think that’s one of the observations that the independent over- 
sight review points out that I agree is a weakness in our implemen- 
tation. If I look at how we implemented cybersecurity policies with- 
in the headquarters, each individual subordinate organization in 
the headquarters implemented the policies individually. So there 
are multiple risk assessments. There are multiple cybersecurity 
plans, there are multiple cybersecurity implementations, and I 
think Mr. Podonsky’s team correctly identifies this as an overall 
weakness because we have some offices who do a very good job of 
implementing those plans, correcting the vulnerabilities, and other 
offices who have not done a good job, but it becomes a shared risk. 
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So the action that was taken by the Deputy Secretary in essence 
expands my job, so not only am I to have policy responsibility for 
the entire Department, but I now have operational responsibility 
which I did not have previously for the entire headquarters. In the 
past I had operational responsibility through an operations organi- 
zation that happens to be attached to me for small subsets of the 
headquarters, and, in fact, those portions of the headquarters were 
viewed as very strong in the independent oversight review, yet they 
were vulnerable to other offices who had weaker security. So now 
that I have responsibility for the operational security of the entire 
headquarters, we can do one plan, one risk assessment, one set of 
policies and procedures, and I can enforce those policies and proce- 
dures across the headquarters. 

Mrs. Wilson. When were you given that additional authority? 

Mr. Gilligan. On June 8. 

Mrs. Wilson. Okay. Does DOE have a comprehensive list of the 
external connections so that anything that enters those circles or 
those subcircles here — do you have a comprehensive list of external 
connections? 

Mr. Gilligan. Ma’am, we have a list. I would not say that it is 
a comprehensive list. I think that is a continued vulnerability. The 
Internet networking technology that we have today lets connections 
be made quite rapidly, and that would be part of the objective of 
establishing a very rigorous perimeter across all of the head- 
quarters systems and a what is called connection policy which we 
can enforce, which would, in fact, then allow us to map what are 
all the external connections, do they, in fact, conform to the secu- 
rity provisions that must be in place before an external connection 
is permitted, and that’s more part of the activity that’s under way 
now. 

Mrs. Wilson. With respect to the additional authority that you 
have been given on June 8, and I also have some sympathy for 
your situation being responsible for something, but I would guess 
a lot of the guys who have to implement this don’t really work for 
you, they still work down in DP and lA and NN and those kinds 
of things. Is that right? 

Mr. Gilligan. That’s correct. My office now has overall responsi- 
bility. We will still work with the individual offices, but now I have 
the accountability and responsibility to make it work, and I can go 
to the Deputy Secretary and the Secretary as needed to identify 
problems, where in the past I did not have any clear authority. I 
could identify concerns, but I had no specific responsibility or au- 
thority. That has been clarified with the Deputy Secretary’s memo 
of June 8. 

Mrs. Wilson. What additional authority do you really have? Can 
you really tell DP or CR or EH or any of these little suborganiza- 
tions, “Shut down your computer network until you fix the fol- 
lowing problems?” 

Mr. Gilligan. That is one of the new authorities that I have. 
With my ability now to enforce a connection policy, if that policy 
is not adhered to, I can and will shut down those organizations. 

Mr. Burr [presiding]. If the Chair could ask the gentlelady to 
wrap up as quickly as she can, I think that it’s only right to allow 
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them the opportunity for a break in between the 1 o’clock session. 
So if you would wrap up as quickly as you can. 

Mrs. Wilson. Thank you, Mr. Chairman. In fact, I think that 
probably concludes the things that I’d like to pursue in this forum, 
and I thank all of you for your time. 

Mr. Burr. I thank the gentlelady. I didn’t think she’d be quite 
that quick, but the Chair would ask unanimous consent for the 
record to remain open for the purposes of opening statements of 
any members that request to enter those and for additional ques- 
tions of members. 

Gentlemen, let me once again thank you on behalf of this com- 
mittee. I hope all of you understand the seriousness that we not 
only take of the headquarters evaluation, but the findings within 
the last 48 hours of continuation of a breach of our security at our 
labs. 

Our hope is that, Mr. Podonsky, you will move forward with — 
at some point with an audit of the classified areas of headquarters, 
and that we will have an opportunity to review that. 

And my hope is, Mr. Gilligan, with this new responsibility, and 
that’s the coordination of one plan for security at headquarters, 
that you will be successful in making sure that that’s implemented 
in the fashion that you see appropriate. 

My hope. General, is that at some point we can get one plan for 
the individual labs that you have and your team have the con- 
fidence in that it is secure. 

With this, this hearing is adjourned. 

[Whereupon, at 12:15 p.m., the subcommittee was adjourned.] 



